Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1984 vulnerabilities reference this CWE, most recent first.

GHSA-2J7J-MG3J-2MR8

Vulnerability from github – Published: 2022-05-01 18:33 – Updated: 2022-05-01 18:33
VLAI
Details

sealert in setroubleshoot 2.0.5 allows local users to overwrite arbitrary files via a symlink attack on the sealert.log temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-05-23T15:32:00Z",
    "severity": "MODERATE"
  },
  "details": "sealert in setroubleshoot 2.0.5 allows local users to overwrite arbitrary files via a symlink attack on the sealert.log temporary file.",
  "id": "GHSA-2j7j-mg3j-2mr8",
  "modified": "2022-05-01T18:33:59Z",
  "published": "2022-05-01T18:33:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5495"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=288221"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42591"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9705"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/30339"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1020077"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0061.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/29320"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2JC2-R9GV-GX5X

Vulnerability from github – Published: 2026-06-11 21:31 – Updated: 2026-06-11 21:31
VLAI
Details

This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T19:16:34Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.",
  "id": "GHSA-2jc2-r9gv-gx5x",
  "modified": "2026-06-11T21:31:55Z",
  "published": "2026-06-11T21:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46293"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122373"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JC3-8RQ8-7X2X

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:31
VLAI
Details

It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7500"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-13T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.",
  "id": "GHSA-2jc3-8rq8-7x2x",
  "modified": "2024-04-04T02:31:37Z",
  "published": "2022-05-24T16:59:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7500"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rpm-software-management/rpm/commit/f2d3be2a8741234faaa96f5fd05fdfdc75779a79"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JCP-64Q4-69C4

Vulnerability from github – Published: 2023-10-25 21:30 – Updated: 2023-11-02 18:30
VLAI
Details

This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. A website may be able to access sensitive user data when resolving symlinks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-25T19:15:10Z",
    "severity": "HIGH"
  },
  "details": "This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. A website may be able to access sensitive user data when resolving symlinks.",
  "id": "GHSA-2jcp-64q4-69c4",
  "modified": "2023-11-02T18:30:23Z",
  "published": "2023-10-25T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42844"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213983"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213984"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213985"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213983"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213984"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213985"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Oct/21"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Oct/24"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Oct/26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JCP-PPP2-C9RV

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:17
VLAI
Details

A local attacker can create a hard-link between a file to which the Check Point Endpoint Security client for Windows before E80.96 writes and another BAT file, then by impersonating the WPAD server, the attacker can write BAT commands into that file that will later be run by the user or the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-65"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-29T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "A local attacker can create a hard-link between a file to which the Check Point Endpoint Security client for Windows before E80.96 writes and another BAT file, then by impersonating the WPAD server, the attacker can write BAT commands into that file that will later be run by the user or the system.",
  "id": "GHSA-2jcp-ppp2-c9rv",
  "modified": "2024-04-04T00:17:41Z",
  "published": "2022-05-24T16:44:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8454"
    },
    {
      "type": "WEB",
      "url": "https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk150012"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JF9-5HF7-R448

Vulnerability from github – Published: 2025-10-08 18:30 – Updated: 2025-10-08 18:30
VLAI
Details

A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The vendor explains: "Our restriction features are designed as guardrails for LLMs to help them stay closer to what users want, rather than hardened security boundaries. (...) For users where security is a top priority, we continue to recommend using Desktop Commander with Docker, which provides actual isolation. (...) We'll keep this issue open for future consideration if we receive more user demand for improved restrictions." This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-08T18:15:34Z",
    "severity": "LOW"
  },
  "details": "A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The attack\u0027s complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The vendor explains: \"Our restriction features are designed as guardrails for LLMs to help them stay closer to what users want, rather than hardened security boundaries. (...) For users where security is a top priority, we continue to recommend using Desktop Commander with Docker, which provides actual isolation. (...) We\u0027ll keep this issue open for future consideration if we receive more user demand for improved restrictions.\" This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-2jf9-5hf7-r448",
  "modified": "2025-10-08T18:30:16Z",
  "published": "2025-10-08T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/219"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/219#issue-3343862329"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/219#issuecomment-3214114903"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.327606"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.327606"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.668004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2JQ4-Q6VV-4CP3

Vulnerability from github – Published: 2026-06-18 17:25 – Updated: 2026-06-18 17:25
VLAI
Summary
Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE
Details

Summary

When the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path (e.g. /etc/cron.d/evil) or ../ traversal escaped the downloads directory, giving an arbitrary file write with attacker-controlled contents. Because the written bytes are attacker-controlled, this escalates to remote code execution (overwriting a shell rc-file, ~/.ssh/authorized_keys, a cron entry, or a Python module on the import path).

Affected paths

Two download sinks in crawl4ai/async_crawler_strategy.py: - HTTP crawler (AsyncHTTPCrawlerStrategy): the filename is parsed from the response Content-Disposition header by _extract_filename() and written via aiofiles.open(filepath, 'wb'). Reachable directly via the SDK, and via the unauthenticated Docker /crawl endpoint when an HTTPCrawlerConfig is supplied. - Browser crawler (AsyncPlaywrightCrawlerStrategy): the download's suggested_filename (controllable by the visited page) is joined to downloads_path and written via download.save_as().

The HTTP-strategy sink is reachable pre-auth on the default Docker deployment; both are reachable for SDK users simply by crawling an attacker-controlled URL. The default Playwright crawl path that does not trigger a download is unaffected.

Impact

Arbitrary file write with attacker-controlled content as the user running the crawler, escalating to remote code execution.

Fix

Both sinks now resolve the destination through a single hardened helper (_safe_download_filepath) that reduces the attacker-influenced name to a bare basename (dropping absolute paths and .. components) and re-checks, via realpath, that the resolved path stays inside the downloads root (defeating symlink/TOCTOU escapes). A traversal attempt is rejected; normal downloads are unchanged.

Workarounds

  • Upgrade to the patched version (0.9.0).
  • Run the crawler as an unprivileged user with a dedicated, isolated downloads directory on a volume with no sensitive paths writable.
  • Enable authentication (CRAWL4AI_API_TOKEN) on the Docker server.

Credits

Y4tacker - reported the Content-Disposition path traversal in the HTTP crawler with a clear PoC and a basename + realpath-containment fix recommendation.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.9"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "crawl4ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T17:25:13Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nWhen the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path (e.g. `/etc/cron.d/evil`) or `../` traversal escaped the downloads directory, giving an arbitrary file write with attacker-controlled contents. Because the written bytes are attacker-controlled, this escalates to remote code execution (overwriting a shell rc-file, `~/.ssh/authorized_keys`, a cron entry, or a Python module on the import path).\n\n### Affected paths\n\nTwo download sinks in `crawl4ai/async_crawler_strategy.py`:\n- HTTP crawler (`AsyncHTTPCrawlerStrategy`): the filename is parsed from the response `Content-Disposition` header by `_extract_filename()` and written via `aiofiles.open(filepath, \u0027wb\u0027)`. Reachable directly via the SDK, and via the unauthenticated Docker `/crawl` endpoint when an `HTTPCrawlerConfig` is supplied.\n- Browser crawler (`AsyncPlaywrightCrawlerStrategy`): the download\u0027s `suggested_filename` (controllable by the visited page) is joined to `downloads_path` and written via `download.save_as()`.\n\nThe HTTP-strategy sink is reachable pre-auth on the default Docker deployment; both are reachable for SDK users simply by crawling an attacker-controlled URL. The default Playwright crawl path that does not trigger a download is unaffected.\n\n### Impact\n\nArbitrary file write with attacker-controlled content as the user running the crawler, escalating to remote code execution.\n\n### Fix\n\nBoth sinks now resolve the destination through a single hardened helper (`_safe_download_filepath`) that reduces the attacker-influenced name to a bare basename (dropping absolute paths and `..` components) and re-checks, via `realpath`, that the resolved path stays inside the downloads root (defeating symlink/TOCTOU escapes). A traversal attempt is rejected; normal downloads are unchanged.\n\n### Workarounds\n\n- Upgrade to the patched version (0.9.0).\n- Run the crawler as an unprivileged user with a dedicated, isolated downloads directory on a volume with no sensitive paths writable.\n- Enable authentication (`CRAWL4AI_API_TOKEN`) on the Docker server.\n\n### Credits\n\nY4tacker - reported the Content-Disposition path traversal in the HTTP crawler with a clear PoC and a basename + realpath-containment fix recommendation.",
  "id": "GHSA-2jq4-q6vv-4cp3",
  "modified": "2026-06-18T17:25:13Z",
  "published": "2026-06-18T17:25:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-2jq4-q6vv-4cp3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/unclecode/crawl4ai"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE"
}

GHSA-2M3G-FR55-VWFH

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148804.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-09T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148804.",
  "id": "GHSA-2m3g-fr55-vwfh",
  "modified": "2022-05-13T01:32:41Z",
  "published": "2022-05-13T01:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1781"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/148804"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ibm10733939"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105885"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1042086"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2M3H-X8JM-FMWH

Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-09 18:30
VLAI
Details

Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T17:17:15Z",
    "severity": "HIGH"
  },
  "details": "Improper link resolution before file access (\u0027link following\u0027) in Winlogon allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-2m3h-x8jm-fmwh",
  "modified": "2026-06-09T18:30:46Z",
  "published": "2026-06-09T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42989"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42989"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2M9W-9XH2-WXC3

Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2023-05-24 14:25
VLAI
Summary
Link Following in Jenkins Pipeline Multibranch Plugin
Details

Jenkins Pipeline: Multibranch Plugin prior to 2.23.1, 2.26.1, 696.698.v9b4218eea50f, and 707.v71c3f0a_6ccdb_ follows symbolic links to locations outside of the checkout directory for the configured SCM when reading files using the readTrusted step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins.workflow:workflow-multibranch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.24"
            },
            {
              "fixed": "2.26.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins.workflow:workflow-multibranch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.23.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins.workflow:workflow-multibranch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "696.v52535c46f4c9"
            },
            {
              "fixed": "696.698.v9b4218eea50f"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins.workflow:workflow-multibranch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "706.vd43c65dec013"
            },
            {
              "fixed": "707.v71c3f0a"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-25T20:40:40Z",
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Pipeline: Multibranch Plugin prior to 2.23.1, 2.26.1, 696.698.v9b4218eea50f, and 707.v71c3f0a_6ccdb_ follows symbolic links to locations outside of the checkout directory for the configured SCM when reading files using the readTrusted step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.",
  "id": "GHSA-2m9w-9xh2-wxc3",
  "modified": "2023-05-24T14:25:01Z",
  "published": "2022-02-16T00:01:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25179"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CVEProject/cvelist/blob/00bfb5abeecc9f553a2f42954ee540e493498ee9/2022/25xxx/CVE-2022-25179.json"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Link Following in Jenkins Pipeline Multibranch Plugin"
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.