Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1983 vulnerabilities reference this CWE, most recent first.

GHSA-2MM4-WMFR-3FFM

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow a local user to access and change the configuration of Db2 due to a race condition of a symbolic link,. IBM X-Force ID: 190909.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-24T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow a local user to access and change the configuration of Db2 due to a race condition of a symbolic link,. IBM X-Force ID: 190909.",
  "id": "GHSA-2mm4-wmfr-3ffm",
  "modified": "2022-05-24T19:06:14Z",
  "published": "2022-05-24T19:06:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4885"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/190909"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210720-0006"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6466363"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2MV9-V6Q7-X773

Vulnerability from github – Published: 2026-04-15 15:31 – Updated: 2026-04-15 15:31
VLAI
Details

During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-15T13:16:23Z",
    "severity": "MODERATE"
  },
  "details": "During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges.",
  "id": "GHSA-2mv9-v6q7-x773",
  "modified": "2026-04-15T15:31:42Z",
  "published": "2026-04-15T15:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0827"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-210693"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2P49-45HJ-7MC9

Vulnerability from github – Published: 2026-01-21 22:40 – Updated: 2026-01-22 15:41
VLAI
Summary
@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass
Details

Impact

The resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:

  1. Symlink chains: Creating link1 → link2 → /outside where intermediate symlinks eventually resolve outside the allowed directory
  2. Dangling symlinks: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations

This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.

Patches

This vulnerability is fixed in @backstage/backend-plugin-api version 0.1.17. Users should upgrade to this version or later.

Workarounds

  • Run Backstage in a containerised environment with limited filesystem access
  • Restrict template creation to trusted users
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.16"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@backstage/cli-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T22:40:51Z",
    "nvd_published_at": "2026-01-21T23:15:53Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:\n\n1. **Symlink chains**: Creating `link1 \u2192 link2 \u2192 /outside` where intermediate symlinks eventually resolve outside the allowed directory\n2. **Dangling symlinks**: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations\n\nThis function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.\n\n### Patches\n\nThis vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later.\n\n### Workarounds\n\n- Run Backstage in a containerised environment with limited filesystem access\n- Restrict template creation to trusted users",
  "id": "GHSA-2p49-45hj-7mc9",
  "modified": "2026-01-22T15:41:11Z",
  "published": "2026-01-21T22:40:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24047"
    },
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/backstage/backstage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass"
}

GHSA-2P5V-3F2J-GQ28

Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32
VLAI
Details

G DATA Total Security Scan Server Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of G DATA Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the G DATA AntiVirus Scan Server. By creating a symbolic link, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23381.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T20:15:08Z",
    "severity": "HIGH"
  },
  "details": "G DATA Total Security Scan Server Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of G DATA Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the G DATA AntiVirus Scan Server. By creating a symbolic link, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23381.",
  "id": "GHSA-2p5v-3f2j-gq28",
  "modified": "2024-11-22T21:32:16Z",
  "published": "2024-11-22T21:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30377"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1159"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PF3-GJP3-CX53

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-08-31 00:00
VLAI
Details

By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitrary code through insecure use of predictable temporary file locations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-23892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-367",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-12T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitrary code through insecure use of predictable temporary file locations.",
  "id": "GHSA-2pf3-gjp3-cx53",
  "modified": "2022-08-31T00:00:18Z",
  "published": "2022-05-24T19:02:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23892"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10355"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PFR-2XMV-J9V4

Vulnerability from github – Published: 2022-09-20 00:00 – Updated: 2022-09-22 00:00
VLAI
Details

A link following local privilege escalation vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service servers could allow a local attacker to abuse an insecure directory that could allow a low-privileged user to run arbitrary code with elevated privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-19T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A link following local privilege escalation vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service servers could allow a local attacker to abuse an insecure directory that could allow a low-privileged user to run arbitrary code with elevated privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
  "id": "GHSA-2pfr-2xmv-j9v4",
  "modified": "2022-09-22T00:00:31Z",
  "published": "2022-09-20T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40143"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/000291528"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1191"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PQX-426G-HRMC

Vulnerability from github – Published: 2022-05-17 02:00 – Updated: 2022-05-17 02:00
VLAI
Details

The (1) bin/invscoutClient_VPD_Survey and (2) sbin/invscout_lsvpd programs in invscout.rte before 2.2.0.19 on IBM AIX 7.1, 6.1, 5.3, and earlier allow local users to delete arbitrary files, or trigger inventory scout operations on arbitrary files, via a symlink attack on an unspecified file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-1384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-01-04T03:55:00Z",
    "severity": "MODERATE"
  },
  "details": "The (1) bin/invscoutClient_VPD_Survey and (2) sbin/invscout_lsvpd programs in invscout.rte before 2.2.0.19 on IBM AIX 7.1, 6.1, 5.3, and earlier allow local users to delete arbitrary files, or trigger inventory scout operations on arbitrary files, via a symlink attack on an unspecified file.",
  "id": "GHSA-2pqx-426g-hrmc",
  "modified": "2022-05-17T02:00:43Z",
  "published": "2022-05-17T02:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1384"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71615"
    },
    {
      "type": "WEB",
      "url": "http://aix.software.ibm.com/aix/efixes/security/invscout_advisory2.asc"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/47222"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=isg1IV11643"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/51059"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/51083"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2Q7W-JPCQ-P6GW

Vulnerability from github – Published: 2023-04-27 21:30 – Updated: 2024-04-04 03:42
VLAI
Details

Docker Desktop for Windows before 4.6.0 allows attackers to overwrite any file through a symlink attack on the hyperv/create dockerBackendV2 API by controlling the DataFolder parameter for DockerDesktop.vhdx, a similar issue to CVE-2022-31647.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-27T20:15:40Z",
    "severity": "HIGH"
  },
  "details": "Docker Desktop for Windows before 4.6.0 allows attackers to overwrite any file through a symlink attack on the hyperv/create dockerBackendV2 API by controlling the DataFolder parameter for DockerDesktop.vhdx, a similar issue to CVE-2022-31647.",
  "id": "GHSA-2q7w-jpcq-p6gw",
  "modified": "2024-04-04T03:42:58Z",
  "published": "2023-04-27T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34292"
    },
    {
      "type": "WEB",
      "url": "https://docs.docker.com/desktop/release-notes/#docker-desktop-460"
    },
    {
      "type": "WEB",
      "url": "https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2Q9M-V2C6-Q9RC

Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-03-04 00:00
VLAI
Details

A link following privilege escalation vulnerability in Trend Micro Antivirus for Max 11.0.2150 and below could allow a local attacker to modify a file during the update process and escalate their privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-24T03:15:00Z",
    "severity": "HIGH"
  },
  "details": "A link following privilege escalation vulnerability in Trend Micro Antivirus for Max 11.0.2150 and below could allow a local attacker to modify a file during the update process and escalate their privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
  "id": "GHSA-2q9m-v2c6-q9rc",
  "modified": "2022-03-04T00:00:36Z",
  "published": "2022-02-25T00:01:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24671"
    },
    {
      "type": "WEB",
      "url": "https://helpcenter.trendmicro.com/en-us/article/TMKA-10937"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-371"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2QXV-MGHJ-HFHR

Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2022-04-23 00:40
VLAI
Details

The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-1093"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-21T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation.",
  "id": "GHSA-2qxv-mghj-hfhr",
  "modified": "2022-04-23T00:40:47Z",
  "published": "2022-04-23T00:40:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1093"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2012-1093"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2012-1093"
    },
    {
      "type": "WEB",
      "url": "http://vladz.devzero.fr/012_x11-common-vuln.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/02/29/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/03/01/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.