CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1984 vulnerabilities reference this CWE, most recent first.
GHSA-5R7F-6HMM-M99P
Vulnerability from github – Published: 2022-05-01 18:35 – Updated: 2022-05-01 18:35db2dasrrm in the DB2 Administration Server (DAS) in IBM DB2 Universal Database 9.5 before Fix Pack 1, 9.1 before Fix Pack 4a, and 8 before FixPak 16 allows local users to overwrite arbitrary files via a symlink attack on files used for initialization.
{
"affected": [],
"aliases": [
"CVE-2007-5664"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-04-16T18:05:00Z",
"severity": "MODERATE"
},
"details": "db2dasrrm in the DB2 Administration Server (DAS) in IBM DB2 Universal Database 9.5 before Fix Pack 1, 9.1 before Fix Pack 4a, and 8 before FixPak 16 allows local users to overwrite arbitrary files via a symlink attack on files used for initialization.",
"id": "GHSA-5r7f-6hmm-m99p",
"modified": "2022-05-01T18:35:41Z",
"published": "2022-05-01T18:35:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5664"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41848"
},
{
"type": "WEB",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=688"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/29784"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/27870"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1019852"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/1237/references"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5R8P-H2WH-WVQ8
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-10-25 19:00Improper privileges management vulnerability in McAfee Endpoint Security (ENS) Windows prior to 10.7.0 September 2021 Update allows local users to access files which they would otherwise not have access to via manipulating junction links to redirect McAfee folder operations to an unintended location.
{
"affected": [],
"aliases": [
"CVE-2021-31843"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-17T14:15:00Z",
"severity": "HIGH"
},
"details": "Improper privileges management vulnerability in McAfee Endpoint Security (ENS) Windows prior to 10.7.0 September 2021 Update allows local users to access files which they would otherwise not have access to via manipulating junction links to redirect McAfee folder operations to an unintended location.",
"id": "GHSA-5r8p-h2wh-wvq8",
"modified": "2022-10-25T19:00:31Z",
"published": "2022-05-24T19:14:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31843"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10367"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5RXR-FVX4-FR86
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering.
{
"affected": [],
"aliases": [
"CVE-2025-46636"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T18:15:52Z",
"severity": "MODERATE"
},
"details": "Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access (\u0027Link Following\u0027) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering.",
"id": "GHSA-5rxr-fvx4-fr86",
"modified": "2025-12-09T18:30:45Z",
"published": "2025-12-09T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46636"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000394657/dsa-2025-442"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5V72-G8C6-FHCJ
Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2024-11-23 03:31Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the PSANHost executable. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23402.
{
"affected": [],
"aliases": [
"CVE-2024-7242"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T22:15:17Z",
"severity": "HIGH"
},
"details": "Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the PSANHost executable. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23402.",
"id": "GHSA-5v72-g8c6-fhcj",
"modified": "2024-11-23T03:31:58Z",
"published": "2024-11-23T03:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7242"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1017"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5VQQ-7M9G-FGPG
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves symlink mishandling in the "libarchive" component. It allows local users to change arbitrary directory permissions via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2017-2390"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-02T01:59:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves symlink mishandling in the \"libarchive\" component. It allows local users to change arbitrary directory permissions via unspecified vectors.",
"id": "GHSA-5vqq-7m9g-fgpg",
"modified": "2022-05-13T01:44:48Z",
"published": "2022-05-13T01:44:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2390"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207601"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207602"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207615"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207617"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97137"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038138"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5W5R-CWGX-PJQM
Vulnerability from github – Published: 2025-06-17 21:32 – Updated: 2025-06-17 21:32A link following vulnerability in the anti-malware solution portion of Trend Micro Deep Security 20.0 agents could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-30641"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-17T21:15:37Z",
"severity": "HIGH"
},
"details": "A link following vulnerability in the anti-malware solution portion of Trend Micro Deep Security 20.0 agents could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-5w5r-cwgx-pjqm",
"modified": "2025-06-17T21:32:31Z",
"published": "2025-06-17T21:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30641"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/en-US/solution/KA-0019344"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-240"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5WFQ-MM77-25RH
Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-11 00:01In netdiag, there is a possible symbolic link following due to an improper link resolution. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06308877; Issue ID: ALPS06308877.
{
"affected": [],
"aliases": [
"CVE-2022-20085"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-03T20:15:00Z",
"severity": "MODERATE"
},
"details": "In netdiag, there is a possible symbolic link following due to an improper link resolution. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06308877; Issue ID: ALPS06308877.",
"id": "GHSA-5wfq-mm77-25rh",
"modified": "2022-05-11T00:01:43Z",
"published": "2022-05-04T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20085"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/May-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5WPJ-PHQ7-CQ56
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:37The quarantine restoration function in Total Defense Anti-virus 11.5.2.28 is vulnerable to symbolic link attacks, allowing files to be written to privileged directories.
{
"affected": [],
"aliases": [
"CVE-2019-18645"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-31T00:15:00Z",
"severity": "MODERATE"
},
"details": "The quarantine restoration function in Total Defense Anti-virus 11.5.2.28 is vulnerable to symbolic link attacks, allowing files to be written to privileged directories.",
"id": "GHSA-5wpj-phq7-cq56",
"modified": "2024-04-04T02:37:14Z",
"published": "2022-05-24T17:00:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18645"
},
{
"type": "WEB",
"url": "https://github.com/NtRaiseHardError/Antimalware-Research/blob/master/Total%20Defense/Local%20Privilege%20Escalation/v11.5.2.28/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5XW4-X4CG-V965
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22NVIDIA GeForce Experience before 3.18 contains a vulnerability when ShadowPlay or GameStream is enabled. When an attacker has access to the system and creates a hard link, the software does not check for hard link attacks. This behavior may lead to code execution, denial of service, or escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2019-5674"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-28T15:29:00Z",
"severity": "HIGH"
},
"details": "NVIDIA GeForce Experience before 3.18 contains a vulnerability when ShadowPlay or GameStream is enabled. When an attacker has access to the system and creates a hard link, the software does not check for hard link attacks. This behavior may lead to code execution, denial of service, or escalation of privileges.",
"id": "GHSA-5xw4-x4cg-v965",
"modified": "2022-05-13T01:22:32Z",
"published": "2022-05-13T01:22:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5674"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/4784"
},
{
"type": "WEB",
"url": "http://support.lenovo.com/us/en/solutions/LEN-27096"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107621"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6233-JJ46-VP44
Vulnerability from github – Published: 2025-04-28 21:30 – Updated: 2025-05-10 03:30A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0 could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\ProgramData\Docker\config with high privileges. However, this directory often does not exist by default, and C:\ProgramData\ allows normal users to create new directories. By creating a malicious Docker\config folder structure at this location, an attacker can force the privileged update process to delete or manipulate arbitrary system files, leading to Elevation of Privilege.
{
"affected": [],
"aliases": [
"CVE-2025-3224"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-28T20:15:21Z",
"severity": "HIGH"
},
"details": "A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0\u00a0could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\\ProgramData\\Docker\\config with high privileges. However, this directory often does not exist by default, and C:\\ProgramData\\ allows normal users to create new directories. By creating a malicious Docker\\config folder structure at this location, an attacker can force the privileged update process to delete or manipulate arbitrary system files, leading to Elevation of Privilege.",
"id": "GHSA-6233-jj46-vp44",
"modified": "2025-05-10T03:30:21Z",
"published": "2025-04-28T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3224"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.