Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1985 vulnerabilities reference this CWE, most recent first.

GHSA-6MH8-R4FC-H3CH

Vulnerability from github – Published: 2022-05-17 01:17 – Updated: 2022-05-17 01:17
VLAI
Details

php-fpm allows local users to write to or create arbitrary files via a symlink attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-3211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-25T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "php-fpm allows local users to write to or create arbitrary files via a symlink attack.",
  "id": "GHSA-6mh8-r4fc-h3ch",
  "modified": "2022-05-17T01:17:01Z",
  "published": "2022-05-17T01:17:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3211"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1228721"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6PVW-G552-53C5

Vulnerability from github – Published: 2025-10-17 17:05 – Updated: 2026-05-31 18:30
VLAI
Summary
Git LFS may write to arbitrary files via crafted symlinks
Details

Impact

When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS.

Git LFS has resolved this problem by revising the git lfs checkout and git lfs pull commands so that they check for symbolic links in the same manner as performed by Git before writing to files in the working tree. These commands now also remove existing files in the working tree before writing new files in their place.

As well, Git LFS has resolved a problem whereby the git lfs checkout and git lfs pull commands, when run in a bare repository, could write to files visible outside the repository. While a specific and relatively unlikely set of conditions were required for this to occur, it is no longer possible under any circumstances.

Patches

This problem exists in all versions since 0.5.2 and is patched in v3.7.1. All users should upgrade to v3.7.1.

Workarounds

Support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

References

For more information

If there are any questions or comments about this advisory: * For general questions, start a discussion in the Git LFS discussion forum. * For reports of additional vulnerabilities, please follow the Git LFS security reporting policy.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.7.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/git-lfs/git-lfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.2"
            },
            {
              "fixed": "3.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-26625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-17T17:05:03Z",
    "nvd_published_at": "2025-10-17T16:15:37Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nWhen populating a Git repository\u0027s working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS.\n\nGit LFS has resolved this problem by revising the `git lfs checkout` and `git lfs pull` commands so that they check for symbolic links in the same manner as performed by Git before writing to files in the working tree.  These commands now also remove existing files in the working tree before writing new files in their place.\n\nAs well, Git LFS has resolved a problem whereby the `git lfs checkout` and `git lfs pull` commands, when run in a bare repository, could write to files visible outside the repository.  While a specific and relatively unlikely set of conditions were required for this to occur, it is no longer possible under any circumstances.\n\n### Patches\n\nThis problem exists in all versions since 0.5.2 and is patched in v3.7.1.  All users should upgrade to v3.7.1.\n\n### Workarounds\n\nSupport for symlinks in Git may be disabled by setting the `core.symlinks` configuration option to `false`, after which further clones and fetches will not create symbolic links.  However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.\n\n### References\n\n- https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5\n- https://nvd.nist.gov/vuln/detail/CVE-2025-26625\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26625\n- https://github.com/git-lfs/git-lfs/releases/tag/v3.7.1\n- [git-lfs/git-lfs@5c11ffce9a](https://github.com/git-lfs/git-lfs/commit/5c11ffce9a4f095ff356bc781e2a031abb46c1a8)\n- [git-lfs/git-lfs@0cffe93176](https://github.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e98396)\n- [git-lfs/git-lfs@d02bd13f02](https://github.com/git-lfs/git-lfs/commit/d02bd13f02ef76f6807581cd6b34709069cb3615)\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n* For general questions, start a discussion in the Git LFS [discussion forum](https://github.com/git-lfs/git-lfs/discussions).\n* For reports of additional vulnerabilities, please follow the Git LFS [security reporting policy](https://github.com/git-lfs/git-lfs/blob/main/SECURITY.md).",
  "id": "GHSA-6pvw-g552-53c5",
  "modified": "2026-05-31T18:30:24Z",
  "published": "2025-10-17T17:05:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26625"
    },
    {
      "type": "WEB",
      "url": "https://github.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e98396"
    },
    {
      "type": "WEB",
      "url": "https://github.com/git-lfs/git-lfs/commit/5c11ffce9a4f095ff356bc781e2a031abb46c1a8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/git-lfs/git-lfs/commit/d02bd13f02ef76f6807581cd6b34709069cb3615"
    },
    {
      "type": "WEB",
      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26625"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/git-lfs/git-lfs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/git-lfs/git-lfs/releases/tag/v3.7.1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00055.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Git LFS may write to arbitrary files via crafted symlinks"
}

GHSA-6Q7F-CCC4-PGMM

Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18
VLAI
Details

rrdedit in netmrg 0.20 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/.xml and (2) /tmp/.backup temporary files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-4974"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-06T15:55:00Z",
    "severity": "MODERATE"
  },
  "details": "rrdedit in netmrg 0.20 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/*.xml and (2) /tmp/*.backup temporary files.",
  "id": "GHSA-6q7f-ccc4-pgmm",
  "modified": "2022-05-17T02:18:28Z",
  "published": "2022-05-17T02:18:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4974"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44834"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/496384"
    },
    {
      "type": "WEB",
      "url": "http://dev.gentoo.org/~rbu/security/debiantemp/netmrg"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32490"
    },
    {
      "type": "WEB",
      "url": "http://uvw.ru/report.lenny.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/30930"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6Q8G-8JP7-R627

Vulnerability from github – Published: 2022-05-17 04:50 – Updated: 2022-05-17 04:50
VLAI
Details

base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.11 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hp-pkservice.log temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-6402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-01-05T20:55:00Z",
    "severity": "LOW"
  },
  "details": "base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.11 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hp-pkservice.log temporary file.",
  "id": "GHSA-6q8g-8jp7-r627",
  "modified": "2022-05-17T04:50:46Z",
  "published": "2022-05-17T04:50:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6402"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.novell.com/show_bug.cgi?id=852368"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2013-6402"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725876"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00087.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00098.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2013/dsa-2829"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2085-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6QFG-8799-R575

Vulnerability from github – Published: 2021-05-18 15:30 – Updated: 2023-09-18 20:30
VLAI
Summary
Kubernetes kubectl cp Vulnerable to Symlink Attack
Details

The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.10"
            },
            {
              "fixed": "1.13.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.14.6"
            },
            {
              "fixed": "1.14.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.15.3"
            },
            {
              "fixed": "1.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-11251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-17T21:58:06Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.",
  "id": "GHSA-6qfg-8799-r575",
  "modified": "2023-09-18T20:30:39Z",
  "published": "2021-05-18T15:30:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/87773"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/pull/82143"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/d/msg/kubernetes-announce/YYtEFdFimZ4/nZnOezZuBgAJ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kubernetes kubectl cp Vulnerable to Symlink Attack"
}

GHSA-6QX3-HCM8-XH2M

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

UNIX Symbolic Link (Symlink) Following in TP-Link Archer C9(US)_V1_180125 firmware allows an unauthenticated actor, with physical access and network access, to read sensitive files and write to a limited set of files after plugging a crafted USB drive into the router.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-21T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "UNIX Symbolic Link (Symlink) Following in TP-Link Archer C9(US)_V1_180125 firmware allows an unauthenticated actor, with physical access and network access, to read sensitive files and write to a limited set of files after plugging a crafted USB drive into the router.",
  "id": "GHSA-6qx3-hcm8-xh2m",
  "modified": "2022-05-24T17:34:42Z",
  "published": "2022-05-24T17:34:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5797"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2020-60"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6RRJ-4W73-GW88

Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30
VLAI
Details

The main function in android_main.cpp in thermald allows local users to write to arbitrary files via a symlink attack on /tmp/thermald.pid.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-2312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-26T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The main function in android_main.cpp in thermald allows local users to write to arbitrary files via a symlink attack on /tmp/thermald.pid.",
  "id": "GHSA-6rrj-4w73-gw88",
  "modified": "2022-05-13T01:30:31Z",
  "published": "2022-05-13T01:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2312"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/03/08/4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/03/09/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6V4X-M393-5VG2

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Improper link resolution before file access ('link following') in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T17:16:54Z",
    "severity": "HIGH"
  },
  "details": "Improper link resolution before file access (\u0027link following\u0027) in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-6v4x-m393-5vg2",
  "modified": "2026-07-14T18:32:01Z",
  "published": "2026-07-14T18:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49791"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49791"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6V7Q-GH5P-VGQC

Vulnerability from github – Published: 2022-05-17 01:59 – Updated: 2022-05-17 01:59
VLAI
Details

The make include files in NetBSD before 1.6.2, as used in pmake 1.111 and other products, allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_depend##### temporary file, related to (1) bsd.lib.mk and (2) bsd.prog.mk.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-1920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-05-23T22:55:00Z",
    "severity": "LOW"
  },
  "details": "The make include files in NetBSD before 1.6.2, as used in pmake 1.111 and other products, allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_depend##### temporary file, related to (1) bsd.lib.mk and (2) bsd.prog.mk.",
  "id": "GHSA-6v7q-gh5p-vgqc",
  "modified": "2022-05-17T01:59:31Z",
  "published": "2022-05-17T01:59:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1920"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=705090"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=705100"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67495"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626673"
    },
    {
      "type": "WEB",
      "url": "http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.lib.mk.diff?r1=1.239\u0026r2=1.240\u0026f=h"
    },
    {
      "type": "WEB",
      "url": "http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.prog.mk.diff?r1=1.192\u0026r2=1.193\u0026f=h"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/05/16/2"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/05/16/8"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/47878"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6VJH-65XF-7489

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2025-10-22 00:31
VLAI
Details

An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges.The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges., aka 'Windows AppX Deployment Extensions Elevation of Privilege Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1385"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-12T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges.The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges., aka \u0027Windows AppX Deployment Extensions Elevation of Privilege Vulnerability\u0027.",
  "id": "GHSA-6vjh-65xf-7489",
  "modified": "2025-10-22T00:31:48Z",
  "published": "2022-05-24T22:01:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1385"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1385"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1385"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-979"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.