CWE-61
AllowedUNIX Symbolic Link (Symlink) Following
Abstraction: Compound · Status: Incomplete
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
270 vulnerabilities reference this CWE, most recent first.
GHSA-4G74-7CFF-XCV8
Vulnerability from github – Published: 2025-11-05 18:44 – Updated: 2025-11-15 02:25Impact
youki utilizes bind mounting the container's /dev/null as a file mask. When performing this operation, the initial validation of the source /dev/null was insufficient. Specifically, we initially failed to verify whether /dev/null was genuinely present. However, we did perform validation to ensure that the /dev/null path existed within the container, including checking for symbolic links. Additionally, there was a vulnerability in the timing between validation and the actual mount operation.
As a result, by replacing /dev/null with a symbolic link, we can bind-mount arbitrary files from the host system.
This is a different project, but the core logic is similar to the CVE in runc. Issues were identified in runc, and verification was also conducted in youki to confirm the problems. https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
Credits
Thanks to Lei Wang (@ssst0n3 from Huawei) for finding and reporting the original runc's vulnerability (Attack 1), and Li Fubang (@lifubang from acmcoder.com, CIIC) for discovering another attack vector in runc (Attack 2) based on @ssst0n3's initial findings.
Also, @cyphar helped youki in finding the problem.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "youki"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62161"
],
"database_specific": {
"cwe_ids": [
"CWE-363",
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-05T18:44:18Z",
"nvd_published_at": "2025-11-06T00:15:36Z",
"severity": "HIGH"
},
"details": "### Impact ###\n\nyouki utilizes bind mounting the container\u0027s `/dev/null` as a file mask. When performing this operation, the initial validation of the source `/dev/null` was insufficient. Specifically, we initially failed to verify whether `/dev/null` was genuinely present. However, we did perform validation to ensure that the `/dev/null` path existed within the container, including checking for symbolic links. Additionally, there was a vulnerability in the timing between validation and the actual mount operation.\n\nAs a result, by replacing `/dev/null` with a symbolic link, we can bind-mount arbitrary files from the host system.\n\nThis is a different project, but the core logic is similar to the CVE in runc. Issues were identified in runc, and verification was also conducted in youki to confirm the problems.\nhttps://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2\n\n### Credits\n\nThanks to Lei Wang (@ssst0n3 from Huawei) for finding and reporting the original runc\u0027s vulnerability (Attack 1), and Li Fubang (@lifubang from acmcoder.com, CIIC) for discovering another attack vector in runc (Attack 2) based on @ssst0n3\u0027s initial findings.\n\nAlso, @cyphar helped youki in finding the problem.",
"id": "GHSA-4g74-7cff-xcv8",
"modified": "2025-11-15T02:25:02Z",
"published": "2025-11-05T18:44:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
},
{
"type": "WEB",
"url": "https://github.com/youki-dev/youki/security/advisories/GHSA-4g74-7cff-xcv8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62161"
},
{
"type": "WEB",
"url": "https://github.com/youki-dev/youki/commit/5886c91073b9be748bd8d5aed49c4a820548030a"
},
{
"type": "PACKAGE",
"url": "https://github.com/youki-dev/youki"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "youki container escape via \"masked path\" abuse due to mount race conditions"
}
GHSA-4Q92-RFM6-2CQX
Vulnerability from github – Published: 2026-02-06 19:08 – Updated: 2026-03-30 19:59Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement.
Users on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.
Claude Code thanks https://hackerone.com/ofirh for reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@anthropic-ai/claude-code"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25724"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T19:08:04Z",
"nvd_published_at": "2026-02-06T18:16:00Z",
"severity": "LOW"
},
"details": "Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. \n\nUsers on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.\n\nClaude Code thanks https://hackerone.com/ofirh for reporting this issue.",
"id": "GHSA-4q92-rfm6-2cqx",
"modified": "2026-03-30T19:59:02Z",
"published": "2026-02-06T19:08:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-4q92-rfm6-2cqx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25724"
},
{
"type": "PACKAGE",
"url": "https://github.com/anthropics/claude-code"
},
{
"type": "WEB",
"url": "https://www.terra.security/blog/when-ai-becomes-the-attack-surface-lessons-from-discovering-cve-2026-25724"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Claude Code has Permission Deny Bypass Through Symbolic Links"
}
GHSA-54R8-8CQ2-5P82
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-03 00:00A UNIX Symbolic Link (Symlink) Following vulnerability in the clone-master-clean-up.sh script of clone-master-clean-up in SUSE Linux Enterprise Server 12 SP3, SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allows local attackers to delete arbitrary files. This issue affects: SUSE Linux Enterprise Server 12 SP3 clone-master-clean-up version 1.6-4.6.1 and prior versions. SUSE Linux Enterprise Server 15 SP1 clone-master-clean-up version 1.6-3.9.1 and prior versions. openSUSE Factory clone-master-clean-up version 1.6-1.4 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2021-32000"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-28T10:15:00Z",
"severity": "HIGH"
},
"details": "A UNIX Symbolic Link (Symlink) Following vulnerability in the clone-master-clean-up.sh script of clone-master-clean-up in SUSE Linux Enterprise Server 12 SP3, SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allows local attackers to delete arbitrary files.\nThis issue affects:\nSUSE Linux Enterprise Server 12 SP3\nclone-master-clean-up version 1.6-4.6.1 and prior versions.\nSUSE Linux Enterprise Server 15 SP1\nclone-master-clean-up version 1.6-3.9.1 and prior versions.\nopenSUSE Factory\nclone-master-clean-up version 1.6-1.4 and prior versions.",
"id": "GHSA-54r8-8cq2-5p82",
"modified": "2022-07-03T00:00:23Z",
"published": "2022-05-24T19:09:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32000"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1181050"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-56GF-J26C-43XH
Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15. An app may be able to break out of its sandbox.
{
"affected": [],
"aliases": [
"CVE-2024-44132"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-17T00:15:50Z",
"severity": "HIGH"
},
"details": "This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15. An app may be able to break out of its sandbox.",
"id": "GHSA-56gf-j26c-43xh",
"modified": "2025-11-04T18:31:21Z",
"published": "2024-09-17T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44132"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121238"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Sep/33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-56P5-8MHR-2FPH
Vulnerability from github – Published: 2026-04-08 15:03 – Updated: 2026-04-10 21:34Summary
LiquidJS enforces partial and layout root restrictions using the resolved pathname string, but it does not resolve the canonical filesystem path before opening the file. A symlink placed inside an allowed partials or layouts directory can therefore point to a file outside that directory and still be loaded.
Details
For {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not realpath-based.
Because of that, a file like partials/link.liquid passes the directory containment check as long as its pathname is under the allowed root. If link.liquid is actually a symlink to a file outside the allowed root, the filesystem follows the symlink when the file is opened and LiquidJS renders the external target.
So the restriction is applied to the path string that was requested, not to the file that is actually read.
This matters in environments where an attacker can place templates or otherwise influence files under a trusted template root, including uploaded themes, extracted archives, mounted content, or repository-controlled template trees.
PoC
const { Liquid } = require('liquidjs');
const fs = require('fs');
fs.rmSync('/tmp/liquid-root', { recursive: true, force: true });
fs.mkdirSync('/tmp/liquid-root', { recursive: true });
fs.writeFileSync('/tmp/secret-outside.liquid', 'SECRET_OUTSIDE');
fs.symlinkSync('/tmp/secret-outside.liquid', '/tmp/liquid-root/link.liquid');
const engine = new Liquid({ root: ['/tmp/liquid-root'] });
engine.parseAndRender('{% render "link.liquid" %}')
.then(console.log);
// SECRET_OUTSIDE
Impact
If an attacker can place or influence symlinks under a trusted partials or layouts directory, they can make LiquidJS read and render files outside the intended template root. In practice this can expose arbitrary readable files reachable through symlink targets.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.25.2"
},
"package": {
"ecosystem": "npm",
"name": "liquidjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.25.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35525"
],
"database_specific": {
"cwe_ids": [
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T15:03:47Z",
"nvd_published_at": "2026-04-08T20:16:24Z",
"severity": "HIGH"
},
"details": "### Summary\n\nLiquidJS enforces partial and layout root restrictions using the resolved pathname string, but it does not resolve the canonical filesystem path before opening the file. A symlink placed inside an allowed partials or layouts directory can therefore point to a file outside that directory and still be loaded.\n\n### Details\n\nFor `{% include %}`, `{% render %}`, and `{% layout %}`, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not realpath-based.\n\nBecause of that, a file like `partials/link.liquid` passes the directory containment check as long as its pathname is under the allowed root. If `link.liquid` is actually a symlink to a file outside the allowed root, the filesystem follows the symlink when the file is opened and LiquidJS renders the external target.\n\nSo the restriction is applied to the path string that was requested, not to the file that is actually read.\n\nThis matters in environments where an attacker can place templates or otherwise influence files under a trusted template root, including uploaded themes, extracted archives, mounted content, or repository-controlled template trees.\n\n### PoC\n\n```js\nconst { Liquid } = require(\u0027liquidjs\u0027);\nconst fs = require(\u0027fs\u0027);\n\nfs.rmSync(\u0027/tmp/liquid-root\u0027, { recursive: true, force: true });\nfs.mkdirSync(\u0027/tmp/liquid-root\u0027, { recursive: true });\n\nfs.writeFileSync(\u0027/tmp/secret-outside.liquid\u0027, \u0027SECRET_OUTSIDE\u0027);\nfs.symlinkSync(\u0027/tmp/secret-outside.liquid\u0027, \u0027/tmp/liquid-root/link.liquid\u0027);\n\nconst engine = new Liquid({ root: [\u0027/tmp/liquid-root\u0027] });\n\nengine.parseAndRender(\u0027{% render \"link.liquid\" %}\u0027)\n .then(console.log);\n// SECRET_OUTSIDE\n```\n\n### Impact\n\nIf an attacker can place or influence symlinks under a trusted partials or layouts directory, they can make LiquidJS read and render files outside the intended template root. In practice this can expose arbitrary readable files reachable through symlink targets.",
"id": "GHSA-56p5-8mhr-2fph",
"modified": "2026-04-10T21:34:31Z",
"published": "2026-04-08T15:03:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-56p5-8mhr-2fph"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35525"
},
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/pull/867"
},
{
"type": "PACKAGE",
"url": "https://github.com/harttle/liquidjs"
},
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates"
}
GHSA-66M2-GX93-V996
Vulnerability from github – Published: 2025-10-03 14:17 – Updated: 2025-10-13 15:10Claude Code failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Code to access the file.
Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.
Thank you to https://hackerone.com/vinai for reporting this issue!
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@anthropic-ai/claude-code"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.120"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59829"
],
"database_specific": {
"cwe_ids": [
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-03T14:17:58Z",
"nvd_published_at": "2025-10-03T20:15:33Z",
"severity": "LOW"
},
"details": "Claude Code failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Code to access the file. \n\nUsers on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.\n\nThank you to https://hackerone.com/vinai for reporting this issue!",
"id": "GHSA-66m2-gx93-v996",
"modified": "2025-10-13T15:10:14Z",
"published": "2025-10-03T14:17:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-66m2-gx93-v996"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59829"
},
{
"type": "PACKAGE",
"url": "https://github.com/anthropics/claude-code"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Claude Code permission deny bypass through symlink"
}
GHSA-698G-97RR-XGJF
Vulnerability from github – Published: 2025-08-13 09:30 – Updated: 2025-08-13 09:30Using Codex CLI in workspace-write mode inside a malicious context (repo, directory, etc) could lead to arbitrary file overwrite and potentially remote code execution due to symlinks being followed outside the allowed current working directory.
{
"affected": [],
"aliases": [
"CVE-2025-55345"
],
"database_specific": {
"cwe_ids": [
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-13T09:15:29Z",
"severity": "HIGH"
},
"details": "Using Codex CLI in workspace-write mode inside a malicious context (repo, directory, etc) could lead to arbitrary file overwrite and potentially remote code execution due to symlinks being followed outside the allowed current working directory.",
"id": "GHSA-698g-97rr-xgjf",
"modified": "2025-08-13T09:30:32Z",
"published": "2025-08-13T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55345"
},
{
"type": "WEB",
"url": "https://github.com/openai/codex/pull/1705"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/codex-cli-symlink-arbitrary-file-overwrite-jfsa-2025-001378631"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6C9G-GHQ5-C4C8
Vulnerability from github – Published: 2024-11-11 15:31 – Updated: 2024-11-11 15:31Arbitrary file overwrite during recovery due to improper soft link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 818, Acronis Backup extension for Plesk (Linux) before build 599, Acronis Backup plugin for DirectAdmin (Linux) before build 181.
{
"affected": [],
"aliases": [
"CVE-2024-34014"
],
"database_specific": {
"cwe_ids": [
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-11T14:15:14Z",
"severity": "MODERATE"
},
"details": "Arbitrary file overwrite during recovery due to improper soft link handling. The following products are affected: Acronis Backup plugin for cPanel \u0026 WHM (Linux) before build 818, Acronis Backup extension for Plesk (Linux) before build 599, Acronis Backup plugin for DirectAdmin (Linux) before build 181.",
"id": "GHSA-6c9g-ghq5-c4c8",
"modified": "2024-11-11T15:31:01Z",
"published": "2024-11-11T15:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34014"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-7592"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6GCG-HP2X-Q54H
Vulnerability from github – Published: 2022-05-23 21:13 – Updated: 2022-05-23 21:13Impact
All unpatched versions of Argo CD starting with v0.7.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server.
A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. * If the target file is a valid JSON or YAML manifest file, and the resource is allowed in the Application, the attacker can read the contents of that manifest file. (In versions <2.3.2, <2.2.8, and <2.1.14, the attacker may read the files contents even if the resource is not allowed in the Application). * If the target file is valid JSON but is not a manifest file, the attacker may read the contents of the file. * If the target file is not valid JSON or YAML, the attacker may read partial file contents (usually just the first character of the file).
Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
- v2.3.4
- v2.2.9
- v2.1.15
Workarounds
- If you are using >=v2.3.0 and do not have any Jsonnet/directory-type Applications, disable the Jsonnet/directory config management tool. The config key is called
jsonnet.enablesince the same build tool is used for both Jsonnet and plain-manifest ("directory") sources.
Mitigations
- Avoid mounting JSON-formatted secrets as files on the repo-server.
- Upgrade to >=2.3.0 to significantly reduce the risk of leaking out-of-bounds manifest files. Starting with 2.3.0, repository paths are randomized, and read permissions are restricted when manifests are not being actively being generated. This makes it very difficult to craft and use a malicious symlink.
- Upgrade to >=2.3.3, >=2.2.8, or >= 2.1.14 to significantly reduce the risk of leaking the contents of (but not the existence of) out-of-bounds manifest files. These versions prevent attackers from loading manifests which are not permitted in the Project which governs the Application.
Best practices which can mitigate risk
- Limit who has push access to manifest repositories.
- Limit who is allowed to configure new source repositories.
- Limit resource kinds and destinations allowed for Projects, and restrict user access to only the necessary Projects.
Credits
This vulnerability was originally discovered as part of the Trail of Bits audit, published March 12, 2021. The behavior was left unchanged at the time.
The vulnerability was independently re-discovered by @crenshaw-dev, who contributed the patch. A security audit by Ada Logics independently followed up on the Trail of Bits report around the same time.
References
- List of types of Applications, including directory-type
- RBAC documentation, showing how to limit repository permissions
- Project documentation, showing how to limit allowable resource kinds and destinations
For more information
Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24904"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-23T21:13:57Z",
"nvd_published_at": "2022-05-20T14:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nAll unpatched versions of Argo CD starting with v0.7.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD\u0027s repo-server.\n\nA malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. \n* If the target file is a valid JSON or YAML manifest file, and the resource is allowed in the Application, the attacker can read the contents of that manifest file. (In versions \u003c2.3.2, \u003c2.2.8, and \u003c2.1.14, the attacker may read the files contents even if the resource is _not_ allowed in the Application). \n* If the target file is valid JSON but is _not_ a manifest file, the attacker may read the contents of the file. \n* If the target file is not valid JSON or YAML, the attacker may read partial file contents (usually just the first character of the file).\n\nSensitive files which could be leaked include manifest files from other Applications\u0027 source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.3.4\n* v2.2.9\n* v2.1.15\n\n### Workarounds\n\n* If you are using \u003e=v2.3.0 and do not have any Jsonnet/directory-type Applications, [disable the Jsonnet/directory config management tool](https://argo-cd.readthedocs.io/en/stable/user-guide/tool_detection/#disable-built-in-tools). The config key is called `jsonnet.enable` since the same build tool is used for both Jsonnet and plain-manifest (\"directory\") sources.\n\n#### Mitigations\n\n* Avoid mounting JSON-formatted secrets as files on the repo-server.\n* Upgrade to \u003e=2.3.0 to significantly reduce the risk of leaking out-of-bounds manifest files. Starting with 2.3.0, repository paths are randomized, and read permissions are restricted when manifests are not being actively being generated. This makes it very difficult to craft and use a malicious symlink.\n* Upgrade to \u003e=2.3.3, \u003e=2.2.8, or \u003e= 2.1.14 to significantly reduce the risk of leaking the contents of (but not the existence of) out-of-bounds manifest files. These versions prevent attackers from loading manifests which are not permitted in the Project which governs the Application. \n\n#### Best practices which can mitigate risk\n\n* Limit who has push access to manifest repositories.\n* Limit who is allowed to configure new source repositories.\n* Limit resource kinds and destinations allowed for Projects, and restrict user access to only the necessary Projects.\n\n### Credits\n\nThis vulnerability was originally discovered as part of the Trail of Bits audit, published March 12, 2021. The behavior was left unchanged at the time.\n\nThe vulnerability was independently re-discovered by @crenshaw-dev, who contributed the patch. A security audit by Ada Logics independently followed up on the Trail of Bits report around the same time.\n\n### References\n\n* List of [types of Applications](https://argo-cd.readthedocs.io/en/stable/user-guide/application_sources/), including directory-type\n* [RBAC documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/), showing how to limit repository permissions\n* [Project documentation](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/), showing how to limit allowable resource kinds and destinations \n\n### For more information\nOpen an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\nJoin us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n",
"id": "GHSA-6gcg-hp2x-q54h",
"modified": "2022-05-23T21:13:57Z",
"published": "2022-05-23T21:13:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24904"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/5e767a4b9e30983330c0fdec322192281a90eb84"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/7357cfdb58a560de70a0538c6e3bef6fe39505ea"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/d36d95dc9f71ec61c1a93794f81ece6d61a0d943"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
},
{
"type": "PACKAGE",
"url": "github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server"
}
GHSA-6M5P-MV69-2WFH
Vulnerability from github – Published: 2024-12-17 12:31 – Updated: 2024-12-17 12:31Dell AppSync, version 4.6.0.x, contain a Symbolic Link (Symlink) Following vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information tampering.
{
"affected": [],
"aliases": [
"CVE-2024-52542"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-17T12:15:20Z",
"severity": "MODERATE"
},
"details": "Dell AppSync, version 4.6.0.x, contain a Symbolic Link (Symlink) Following vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information tampering.",
"id": "GHSA-6m5p-mv69-2wfh",
"modified": "2024-12-17T12:31:40Z",
"published": "2024-12-17T12:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52542"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000261039/dsa-2024-496-security-update-for-dell-appsync-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.