CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 107 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-31542 | — | Hig | 0.42 | 7.5 | 0.05 | May 5, 2021 | In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. | |
| CVE-2020-29529 | — | Hig | 0.42 | 7.5 | 0.03 | Dec 3, 2020 | HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0. | |
| CVE-2020-15246 | Hig | 0.42 | 7.5 | 0.02 | Nov 23, 2020 | October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build… | ||
| CVE-2020-7763 | — | Hig | 0.42 | 7.5 | 0.02 | Nov 5, 2020 | This affects the package phantom-html-to-pdf before 0.6.1. | |
| CVE-2020-7758 | — | Hig | 0.42 | 7.5 | 0.02 | Nov 2, 2020 | This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server. | |
| CVE-2020-7757 | — | Med | 0.42 | 6.5 | 0.02 | Nov 2, 2020 | This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server. | |
| CVE-2020-2293 | Med | 0.42 | 6.5 | 0.01 | Oct 8, 2020 | Jenkins Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller. | ||
| CVE-2020-2278 | Med | 0.42 | 6.5 | 0.01 | Sep 16, 2020 | Jenkins Storable Configs Plugin 1.0 and earlier does not restrict the user-specified file name, allowing attackers with Job/Configure permission to replace any other '.xml' file on the Jenkins controller with a job config.xml file's content. | ||
| CVE-2020-2277 | Med | 0.42 | 6.5 | 0.02 | Sep 16, 2020 | Jenkins Storable Configs Plugin 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller. | ||
| CVE-2019-20916 | — | Hig | 0.42 | 7.5 | 0.03 | Sep 4, 2020 | The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in… | |
| CVE-2020-25032 | — | Hig | 0.42 | 7.5 | 0.04 | Aug 31, 2020 | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. | |
| CVE-2020-7684 | Hig | 0.42 | 7.5 | 0.01 | Jul 17, 2020 | This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation. | ||
| CVE-2020-7667 | — | Hig | 0.42 | 7.5 | 0.02 | Jun 24, 2020 | In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading ".." which leads in file extraction outside of the current directory. Note: the fixing commit… | |
| CVE-2020-7668 | — | Hig | 0.42 | 7.5 | 0.01 | Jun 23, 2020 | In all versions of the package github.com/unknwon/cae/tz, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide. | |
| CVE-2020-7664 | — | Hig | 0.42 | 7.5 | 0.01 | Jun 23, 2020 | In all versions of the package github.com/unknwon/cae/zip, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide. | |
| CVE-2020-7650 | — | Med | 0.42 | 6.5 | 0.01 | May 29, 2020 | All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json. | |
| CVE-2020-7648 | — | Med | 0.42 | 6.5 | 0.01 | May 29, 2020 | All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json` | |
| CVE-2020-7652 | — | Med | 0.42 | 6.5 | 0.02 | May 29, 2020 | All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal. | |
| CVE-2020-1737 | Hig | 0.42 | 7.5 | 0.00 | Mar 9, 2020 | A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by… | ||
| CVE-2020-5840 | — | Hig | 0.42 | 7.5 | 0.01 | Jan 6, 2020 | An issue was discovered in HashBrown CMS before 1.3.2. Server/Entity/Resource/Connection.js allows an attacker to reach a parent directory via a crafted name or ID field. |
- risk 0.42cvss 7.5epss 0.05
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
- risk 0.42cvss 7.5epss 0.03
HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
- risk 0.42cvss 7.5epss 0.02
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build…
- risk 0.42cvss 7.5epss 0.02
This affects the package phantom-html-to-pdf before 0.6.1.
- risk 0.42cvss 7.5epss 0.02
This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server.
- risk 0.42cvss 6.5epss 0.02
This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.
- risk 0.42cvss 6.5epss 0.01
Jenkins Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller.
- risk 0.42cvss 6.5epss 0.01
Jenkins Storable Configs Plugin 1.0 and earlier does not restrict the user-specified file name, allowing attackers with Job/Configure permission to replace any other '.xml' file on the Jenkins controller with a job config.xml file's content.
- risk 0.42cvss 6.5epss 0.02
Jenkins Storable Configs Plugin 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller.
- risk 0.42cvss 7.5epss 0.03
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in…
- risk 0.42cvss 7.5epss 0.04
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
- risk 0.42cvss 7.5epss 0.01
This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation.
- risk 0.42cvss 7.5epss 0.02
In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading ".." which leads in file extraction outside of the current directory. Note: the fixing commit…
- risk 0.42cvss 7.5epss 0.01
In all versions of the package github.com/unknwon/cae/tz, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.
- risk 0.42cvss 7.5epss 0.01
In all versions of the package github.com/unknwon/cae/zip, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.
- risk 0.42cvss 6.5epss 0.01
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
- risk 0.42cvss 6.5epss 0.01
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
- risk 0.42cvss 6.5epss 0.02
All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal.
- risk 0.42cvss 7.5epss 0.00
A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by…
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in HashBrown CMS before 1.3.2. Server/Entity/Resource/Connection.js allows an attacker to reach a parent directory via a crafted name or ID field.