CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 106 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-29970 | Hig | 0.42 | 7.5 | 0.02 | May 2, 2022 | Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. | ||
| CVE-2022-23457 | — | Hig | 0.42 | 7.5 | 0.03 | Apr 25, 2022 | ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a… | |
| CVE-2022-24785 | — | Hig | 0.42 | 7.5 | 0.06 | Apr 4, 2022 | Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch… | |
| CVE-2022-28157 | — | Med | 0.42 | 6.5 | 0.01 | Mar 29, 2022 | Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server. | |
| CVE-2022-28156 | — | Med | 0.42 | 6.5 | 0.02 | Mar 29, 2022 | Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to copy arbitrary files and directories from the Jenkins controller to the agent workspace. | |
| CVE-2022-28148 | — | Med | 0.42 | 6.5 | 0.02 | Mar 29, 2022 | The file browser in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Item/Read permission to obtain the contents of arbitrary files… | |
| CVE-2022-27208 | Med | 0.42 | 6.5 | 0.02 | Mar 15, 2022 | Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller. | ||
| CVE-2022-27203 | Med | 0.42 | 6.5 | 0.02 | Mar 15, 2022 | Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller. | ||
| CVE-2022-25511 | — | Med | 0.42 | 6.5 | 0.01 | Mar 11, 2022 | An issue in the ?filename= argument of the route /DataPackageTable in FreeTAKServer-UI v1.9.8 allows attackers to place arbitrary files anywhere on the system. | |
| CVE-2022-24683 | Hig | 0.42 | 7.5 | 0.02 | Feb 17, 2022 | HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. | ||
| CVE-2022-25178 | Med | 0.42 | 6.5 | 0.02 | Feb 15, 2022 | Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system. | ||
| CVE-2021-43795 | Hig | 0.42 | 7.5 | 0.02 | Dec 2, 2021 | Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing… | ||
| CVE-2021-41281 | Hig | 0.42 | 7.5 | 0.02 | Nov 23, 2021 | Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the… | ||
| CVE-2021-3924 | Hig | 0.42 | 7.5 | 0.04 | Nov 5, 2021 | grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | ||
| CVE-2021-21698 | Hig | 0.42 | 7.5 | 0.02 | Nov 4, 2021 | Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent. | ||
| CVE-2021-41131 | Hig | 0.42 | 7.5 | 0.01 | Oct 19, 2021 | python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients (`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can overwrite files ending in `.json` anywhere on the client system on a call to… | ||
| CVE-2021-21501 | — | Hig | 0.42 | 7.5 | 0.04 | Aug 10, 2021 | Improper configuration will cause ServiceComb ServiceCenter Directory Traversal problem in ServcieCenter 1.x.x versions and fixed in 2.0.0. | |
| CVE-2021-23415 | — | Hig | 0.42 | 7.5 | 0.02 | Jul 28, 2021 | This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path. | |
| CVE-2021-32769 | Hig | 0.42 | 7.5 | 0.02 | Jul 16, 2021 | Micronaut is a JVM-based, full stack Java framework designed for building JVM applications. A path traversal vulnerability exists in versions prior to 2.5.9. With a basic configuration, it is possible to access any file from a filesystem, using "/../../" in the URL. This occurs… | ||
| CVE-2021-23407 | — | Hig | 0.42 | 7.5 | 0.02 | Jul 14, 2021 | This affects the package elFinder.Net.Core from 0 and before 1.2.4. The user-controlled file name is not properly sanitized before it is used to create a file system path. |
- risk 0.42cvss 7.5epss 0.02
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
- risk 0.42cvss 7.5epss 0.03
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a…
- risk 0.42cvss 7.5epss 0.06
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch…
- risk 0.42cvss 6.5epss 0.01
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server.
- risk 0.42cvss 6.5epss 0.02
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to copy arbitrary files and directories from the Jenkins controller to the agent workspace.
- risk 0.42cvss 6.5epss 0.02
The file browser in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Item/Read permission to obtain the contents of arbitrary files…
- risk 0.42cvss 6.5epss 0.02
Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller.
- risk 0.42cvss 6.5epss 0.02
Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller.
- risk 0.42cvss 6.5epss 0.01
An issue in the ?filename= argument of the route /DataPackageTable in FreeTAKServer-UI v1.9.8 allows attackers to place arbitrary files anywhere on the system.
- risk 0.42cvss 7.5epss 0.02
HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root.
- risk 0.42cvss 6.5epss 0.02
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.
- risk 0.42cvss 7.5epss 0.02
Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing…
- risk 0.42cvss 7.5epss 0.02
Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the…
- risk 0.42cvss 7.5epss 0.04
grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- risk 0.42cvss 7.5epss 0.02
Jenkins Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent.
- risk 0.42cvss 7.5epss 0.01
python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients (`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can overwrite files ending in `.json` anywhere on the client system on a call to…
- risk 0.42cvss 7.5epss 0.04
Improper configuration will cause ServiceComb ServiceCenter Directory Traversal problem in ServcieCenter 1.x.x versions and fixed in 2.0.0.
- risk 0.42cvss 7.5epss 0.02
This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path.
- risk 0.42cvss 7.5epss 0.02
Micronaut is a JVM-based, full stack Java framework designed for building JVM applications. A path traversal vulnerability exists in versions prior to 2.5.9. With a basic configuration, it is possible to access any file from a filesystem, using "/../../" in the URL. This occurs…
- risk 0.42cvss 7.5epss 0.02
This affects the package elFinder.Net.Core from 0 and before 1.2.4. The user-controlled file name is not properly sanitized before it is used to create a file system path.