Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1983 vulnerabilities reference this CWE, most recent first.

GHSA-26M2-2WHW-VFV9

Vulnerability from github – Published: 2026-07-11 15:30 – Updated: 2026-07-11 15:30
VLAI
Details

ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-61858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-11T14:16:24Z",
    "severity": "MODERATE"
  },
  "details": "ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.",
  "id": "GHSA-26m2-2whw-vfv9",
  "modified": "2026-07-11T15:30:23Z",
  "published": "2026-07-11T15:30:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v3j6-27vc-7pw2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61858"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/imagemagick-before-26-policy-bypass-via-apng-encoder"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2776-M3XX-F2VF

Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18
VLAI
Details

radiance 3R9+20080530 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/opt.fmt, (b) /tmp/out#####.fmt, (c) /tmp/tf#####.dat, (d) /tmp/gsf#####, (e) /tmp/sc#####.sh, (f) /tmp/il#####.pic, (g) /tmp/tl#####.pic, (h) /tmp/ds#####.pic, (i) /tmp/tfa#####, and (j) /tmp/sed##### temporary files, related to the (1) optics2rad, (2) pdelta, (3) dayfact, and (4) raddepend scripts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-4978"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-06T15:55:00Z",
    "severity": "MODERATE"
  },
  "details": "radiance 3R9+20080530 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/opt.fmt, (b) /tmp/out#####.fmt, (c) /tmp/tf#####.dat, (d) /tmp/gsf#####, (e) /tmp/sc#####.sh, (f) /tmp/il#####.pic, (g) /tmp/tl#####.pic, (h) /tmp/ds#####.pic, (i) /tmp/tfa#####, and (j) /tmp/sed##### temporary files, related to the (1) optics2rad, (2) pdelta, (3) dayfact, and (4) raddepend scripts.",
  "id": "GHSA-2776-m3xx-f2vf",
  "modified": "2022-05-17T02:18:28Z",
  "published": "2022-05-17T02:18:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4978"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44846"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/496433"
    },
    {
      "type": "WEB",
      "url": "http://dev.gentoo.org/~rbu/security/debiantemp/radiance"
    },
    {
      "type": "WEB",
      "url": "http://uvw.ru/report.lenny.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/30953"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-279P-XGVM-R6G6

Vulnerability from github – Published: 2022-05-17 04:44 – Updated: 2022-05-17 04:44
VLAI
Details

DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file content for a user via a symlink attack on the temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-3154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-04-17T14:55:00Z",
    "severity": "LOW"
  },
  "details": "DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file content for a user via a symlink attack on the temporary file.",
  "id": "GHSA-279p-xgvm-r6g6",
  "modified": "2022-05-17T04:44:57Z",
  "published": "2022-05-17T04:44:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3154"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/881541"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/47024"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1284-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-27GF-J34Q-JWV5

Vulnerability from github – Published: 2022-10-10 19:00 – Updated: 2022-10-11 19:00
VLAI
Details

Warpinator through 1.2.14 allows access outside of an intended directory, as demonstrated by symbolic directory links.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-10T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "Warpinator through 1.2.14 allows access outside of an intended directory, as demonstrated by symbolic directory links.",
  "id": "GHSA-27gf-j34q-jwv5",
  "modified": "2022-10-11T19:00:26Z",
  "published": "2022-10-10T19:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42725"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linuxmint/warpinator/commit/5244c33d4c109ede9607b9d94461650410e2cddc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linuxmint/warpinator/commit/8bfd2f8b3f1b0c0f0a5a6d275702d107b9e08a94"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linuxmint/warpinator/commit/95124fd4468683dd69ddd7b3da0e9906ce6beae2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linuxmint/warpinator/commit/f4907ef6a17a189d56ab0a9da4b53190b061ad75"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/10/24/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/04/26/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-27Q6-288H-36J9

Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53
VLAI
Details

** DISPUTED ** postfix_groups.pl in Postfix 2.5.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/postfix_groups.stdout, (2) /tmp/postfix_groups.stderr, and (3) /tmp/postfix_groups.message temporary files. NOTE: the vendor disputes this vulnerability, stating "This is not a real issue ... users would have to edit a script under /usr/lib to enable it."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-4977"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-06T15:55:00Z",
    "severity": "MODERATE"
  },
  "details": "** DISPUTED **  postfix_groups.pl in Postfix 2.5.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/postfix_groups.stdout, (2) /tmp/postfix_groups.stderr, and (3) /tmp/postfix_groups.message temporary files.  NOTE: the vendor disputes this vulnerability, stating \"This is not a real issue ... users would have to edit a script under /usr/lib to enable it.\"",
  "id": "GHSA-27q6-288h-36j9",
  "modified": "2022-05-17T05:53:38Z",
  "published": "2022-05-17T05:53:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4977"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/show_bug.cgi?id=235811"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/496401"
    },
    {
      "type": "WEB",
      "url": "http://dev.gentoo.org/~rbu/security/debiantemp/postfix"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-27QC-C946-G657

Vulnerability from github – Published: 2022-05-02 03:12 – Updated: 2022-05-02 03:12
VLAI
Details

CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3.0 and 4.0, and Multi Network Firewall (MNF) 2.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-0032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-01-27T20:30:00Z",
    "severity": "MODERATE"
  },
  "details": "CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3.0 and 4.0, and Multi Network Firewall (MNF) 2.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file.",
  "id": "GHSA-27qc-c946-g657",
  "modified": "2022-05-02T03:12:29Z",
  "published": "2022-05-02T03:12:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0032"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48210"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1021637"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:027"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:028"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:029"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/33418"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-28F2-GW74-5CPJ

Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2025-04-20 03:49
VLAI
Details

The setpermissions function in the auto-updater in Arq before 5.9.7 for Mac allows local users to gain root privileges via a symlink attack on the updater binary itself.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-01T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "The setpermissions function in the auto-updater in Arq before 5.9.7 for Mac allows local users to gain root privileges via a symlink attack on the updater binary itself.",
  "id": "GHSA-28f2-gw74-5cpj",
  "modified": "2025-04-20T03:49:23Z",
  "published": "2022-05-13T01:27:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15357"
    },
    {
      "type": "WEB",
      "url": "https://m4.rkw.io/blog/cve201715357-local-root-privesc-in-arq-backup--596.html"
    },
    {
      "type": "WEB",
      "url": "https://www.arqbackup.com/download/arq5_release_notes.html"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43218"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-28FH-4J57-CC4W

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-05-24 17:27
VLAI
Details

A vulnerability in Trend Micro Apex One and OfficeScan XG SP1 on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code execution. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-01T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in Trend Micro Apex One and OfficeScan XG SP1 on Microsoft Windows may allow an attacker to create a hard link to any file on the system, which then could be manipulated to gain a privilege escalation and code execution. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected.",
  "id": "GHSA-28fh-4j57-cc4w",
  "modified": "2022-05-24T17:27:08Z",
  "published": "2022-05-24T17:27:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24556"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/000263632"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/000263633"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/000267260"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1093"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-28M8-9J7V-X499

Vulnerability from github – Published: 2022-09-16 19:28 – Updated: 2022-09-22 17:28
VLAI
Summary
Tauri's readDir Endpoint Scope can be Bypassed With Symbolic Links
Details

Impact

Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked.

Patches

The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined scope.

Workarounds

Disable the readDir endpoint in the allowlist inside the tauri.conf.json.

For more information

This issue was initially reported by martin-ocasek in #4882.

If you have any questions or comments about this advisory: * Open an issue in tauri * Email us at security@tauri.app

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tauri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T19:28:49Z",
    "nvd_published_at": "2022-09-15T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nDue to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked.\n\n\n### Patches\nThe issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the\nrequested (sub) directory is a symbolic link outside of the defined `scope`.\n\n### Workarounds\nDisable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`.\n\n### For more information\n\nThis issue was initially reported by [martin-ocasek]( https://github.com/martin-ocasek) in [#4882](https://github.com/tauri-apps/tauri/issues/4882).\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [tauri](https://github.com/tauri-apps/tauri)\n* Email us at [security@tauri.app](mailto:security@tauri.app)\n",
  "id": "GHSA-28m8-9j7v-x499",
  "modified": "2022-09-22T17:28:05Z",
  "published": "2022-09-16T19:28:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-28m8-9j7v-x499"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39215"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/issues/4882"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/pull/5123"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/pull/5123/commits/1f9b9e8d26a2c915390323e161020bcb36d44678"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/commit/bb178829086e80916f9be190f02d83bc25802799"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tauri-apps/tauri"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.0.6"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0088.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tauri\u0027s readDir Endpoint Scope can be Bypassed With Symbolic Links"
}

GHSA-28XP-G7F6-7MHF

Vulnerability from github – Published: 2022-05-14 03:49 – Updated: 2023-10-10 16:33
VLAI
Summary
Syncthing vulnerable to symlink traversal and arbitrary file overwrite
Details

Syncthing version 0.14.33 and older erronously versions symlinks when they are deleted. If a directory is then created with the same name, a file created in that directory, and the file deleted, it is moved into the symlink target. This can lead to symlink traversal resulting in arbitrary file overwrite.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/syncthing/syncthing"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.14.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-1000420"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-26T22:17:40Z",
    "nvd_published_at": "2018-01-02T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "Syncthing version 0.14.33 and older erronously versions symlinks when they are deleted. If a directory is then created with the same name, a file created in that directory, and the file deleted, it is moved into the symlink target. This can lead to symlink traversal resulting in arbitrary file overwrite.",
  "id": "GHSA-28xp-g7f6-7mhf",
  "modified": "2023-10-10T16:33:31Z",
  "published": "2022-05-14T03:49:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000420"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/issues/4286"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/commit/f1f21bf22020d9b881478c2e942ba6943c8da2f3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/syncthing/syncthing"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Syncthing vulnerable to symlink traversal and arbitrary file overwrite"
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.