CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1983 vulnerabilities reference this CWE, most recent first.
GHSA-2MM4-WMFR-3FFM
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow a local user to access and change the configuration of Db2 due to a race condition of a symbolic link,. IBM X-Force ID: 190909.
{
"affected": [],
"aliases": [
"CVE-2020-4885"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-24T19:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow a local user to access and change the configuration of Db2 due to a race condition of a symbolic link,. IBM X-Force ID: 190909.",
"id": "GHSA-2mm4-wmfr-3ffm",
"modified": "2022-05-24T19:06:14Z",
"published": "2022-05-24T19:06:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4885"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/190909"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210720-0006"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6466363"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2MV9-V6Q7-X773
Vulnerability from github – Published: 2026-04-15 15:31 – Updated: 2026-04-15 15:31During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges.
{
"affected": [],
"aliases": [
"CVE-2026-0827"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-15T13:16:23Z",
"severity": "MODERATE"
},
"details": "During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges.",
"id": "GHSA-2mv9-v6q7-x773",
"modified": "2026-04-15T15:31:42Z",
"published": "2026-04-15T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0827"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-210693"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2P49-45HJ-7MC9
Vulnerability from github – Published: 2026-01-21 22:40 – Updated: 2026-01-22 15:41Impact
The resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:
- Symlink chains: Creating
link1 → link2 → /outsidewhere intermediate symlinks eventually resolve outside the allowed directory - Dangling symlinks: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations
This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.
Patches
This vulnerability is fixed in @backstage/backend-plugin-api version 0.1.17. Users should upgrade to this version or later.
Workarounds
- Run Backstage in a containerised environment with limited filesystem access
- Restrict template creation to trusted users
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.16"
},
"package": {
"ecosystem": "npm",
"name": "@backstage/cli-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24047"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-21T22:40:51Z",
"nvd_published_at": "2026-01-21T23:15:53Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:\n\n1. **Symlink chains**: Creating `link1 \u2192 link2 \u2192 /outside` where intermediate symlinks eventually resolve outside the allowed directory\n2. **Dangling symlinks**: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations\n\nThis function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.\n\n### Patches\n\nThis vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later.\n\n### Workarounds\n\n- Run Backstage in a containerised environment with limited filesystem access\n- Restrict template creation to trusted users",
"id": "GHSA-2p49-45hj-7mc9",
"modified": "2026-01-22T15:41:11Z",
"published": "2026-01-21T22:40:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24047"
},
{
"type": "WEB",
"url": "https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692"
},
{
"type": "PACKAGE",
"url": "https://github.com/backstage/backstage"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass"
}
GHSA-2P5V-3F2J-GQ28
Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32G DATA Total Security Scan Server Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of G DATA Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the G DATA AntiVirus Scan Server. By creating a symbolic link, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23381.
{
"affected": [],
"aliases": [
"CVE-2024-30377"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T20:15:08Z",
"severity": "HIGH"
},
"details": "G DATA Total Security Scan Server Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of G DATA Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the G DATA AntiVirus Scan Server. By creating a symbolic link, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23381.",
"id": "GHSA-2p5v-3f2j-gq28",
"modified": "2024-11-22T21:32:16Z",
"published": "2024-11-22T21:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30377"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1159"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2PF3-GJP3-CX53
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-08-31 00:00By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitrary code through insecure use of predictable temporary file locations.
{
"affected": [],
"aliases": [
"CVE-2021-23892"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-367",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-12T09:15:00Z",
"severity": "HIGH"
},
"details": "By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitrary code through insecure use of predictable temporary file locations.",
"id": "GHSA-2pf3-gjp3-cx53",
"modified": "2022-08-31T00:00:18Z",
"published": "2022-05-24T19:02:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23892"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10355"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2PFR-2XMV-J9V4
Vulnerability from github – Published: 2022-09-20 00:00 – Updated: 2022-09-22 00:00A link following local privilege escalation vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service servers could allow a local attacker to abuse an insecure directory that could allow a low-privileged user to run arbitrary code with elevated privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-40143"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-19T18:15:00Z",
"severity": "HIGH"
},
"details": "A link following local privilege escalation vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service servers could allow a local attacker to abuse an insecure directory that could allow a low-privileged user to run arbitrary code with elevated privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-2pfr-2xmv-j9v4",
"modified": "2022-09-22T00:00:31Z",
"published": "2022-09-20T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40143"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000291528"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2PQX-426G-HRMC
Vulnerability from github – Published: 2022-05-17 02:00 – Updated: 2022-05-17 02:00The (1) bin/invscoutClient_VPD_Survey and (2) sbin/invscout_lsvpd programs in invscout.rte before 2.2.0.19 on IBM AIX 7.1, 6.1, 5.3, and earlier allow local users to delete arbitrary files, or trigger inventory scout operations on arbitrary files, via a symlink attack on an unspecified file.
{
"affected": [],
"aliases": [
"CVE-2011-1384"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-01-04T03:55:00Z",
"severity": "MODERATE"
},
"details": "The (1) bin/invscoutClient_VPD_Survey and (2) sbin/invscout_lsvpd programs in invscout.rte before 2.2.0.19 on IBM AIX 7.1, 6.1, 5.3, and earlier allow local users to delete arbitrary files, or trigger inventory scout operations on arbitrary files, via a symlink attack on an unspecified file.",
"id": "GHSA-2pqx-426g-hrmc",
"modified": "2022-05-17T02:00:43Z",
"published": "2022-05-17T02:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1384"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71615"
},
{
"type": "WEB",
"url": "http://aix.software.ibm.com/aix/efixes/security/invscout_advisory2.asc"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/47222"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg1IV11643"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/51059"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/51083"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2Q7W-JPCQ-P6GW
Vulnerability from github – Published: 2023-04-27 21:30 – Updated: 2024-04-04 03:42Docker Desktop for Windows before 4.6.0 allows attackers to overwrite any file through a symlink attack on the hyperv/create dockerBackendV2 API by controlling the DataFolder parameter for DockerDesktop.vhdx, a similar issue to CVE-2022-31647.
{
"affected": [],
"aliases": [
"CVE-2022-34292"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-27T20:15:40Z",
"severity": "HIGH"
},
"details": "Docker Desktop for Windows before 4.6.0 allows attackers to overwrite any file through a symlink attack on the hyperv/create dockerBackendV2 API by controlling the DataFolder parameter for DockerDesktop.vhdx, a similar issue to CVE-2022-31647.",
"id": "GHSA-2q7w-jpcq-p6gw",
"modified": "2024-04-04T03:42:58Z",
"published": "2023-04-27T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34292"
},
{
"type": "WEB",
"url": "https://docs.docker.com/desktop/release-notes/#docker-desktop-460"
},
{
"type": "WEB",
"url": "https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2Q9M-V2C6-Q9RC
Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-03-04 00:00A link following privilege escalation vulnerability in Trend Micro Antivirus for Max 11.0.2150 and below could allow a local attacker to modify a file during the update process and escalate their privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-24671"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-24T03:15:00Z",
"severity": "HIGH"
},
"details": "A link following privilege escalation vulnerability in Trend Micro Antivirus for Max 11.0.2150 and below could allow a local attacker to modify a file during the update process and escalate their privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-2q9m-v2c6-q9rc",
"modified": "2022-03-04T00:00:36Z",
"published": "2022-02-25T00:01:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24671"
},
{
"type": "WEB",
"url": "https://helpcenter.trendmicro.com/en-us/article/TMKA-10937"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-371"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2QXV-MGHJ-HFHR
Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2022-04-23 00:40The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation.
{
"affected": [],
"aliases": [
"CVE-2012-1093"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-21T19:15:00Z",
"severity": "MODERATE"
},
"details": "The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation.",
"id": "GHSA-2qxv-mghj-hfhr",
"modified": "2022-04-23T00:40:47Z",
"published": "2022-04-23T00:40:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1093"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2012-1093"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-1093"
},
{
"type": "WEB",
"url": "http://vladz.devzero.fr/012_x11-common-vuln.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/02/29/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/03/01/1"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.