VYPR

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (5,488)

page 107 of 275
  • CVE-2021-31542HigMay 5, 2021
    risk 0.42cvss 7.5epss 0.05

    In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

  • CVE-2020-29529HigDec 3, 2020
    risk 0.42cvss 7.5epss 0.03

    HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.

  • CVE-2020-15246HigNov 23, 2020
    risk 0.42cvss 7.5epss 0.02

    October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build…

  • CVE-2020-7763HigNov 5, 2020
    risk 0.42cvss 7.5epss 0.02

    This affects the package phantom-html-to-pdf before 0.6.1.

  • CVE-2020-7758HigNov 2, 2020
    risk 0.42cvss 7.5epss 0.02

    This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server.

  • CVE-2020-7757MedNov 2, 2020
    risk 0.42cvss 6.5epss 0.02

    This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.

  • CVE-2020-2293MedOct 8, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller.

  • CVE-2020-2278MedSep 16, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Storable Configs Plugin 1.0 and earlier does not restrict the user-specified file name, allowing attackers with Job/Configure permission to replace any other '.xml' file on the Jenkins controller with a job config.xml file's content.

  • CVE-2020-2277MedSep 16, 2020
    risk 0.42cvss 6.5epss 0.02

    Jenkins Storable Configs Plugin 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller.

  • CVE-2019-20916HigSep 4, 2020
    risk 0.42cvss 7.5epss 0.03

    The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in…

  • CVE-2020-25032HigAug 31, 2020
    risk 0.42cvss 7.5epss 0.04

    An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.

  • CVE-2020-7684HigJul 17, 2020
    risk 0.42cvss 7.5epss 0.01

    This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation.

  • CVE-2020-7667HigJun 24, 2020
    risk 0.42cvss 7.5epss 0.02

    In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading ".." which leads in file extraction outside of the current directory. Note: the fixing commit…

  • CVE-2020-7668HigJun 23, 2020
    risk 0.42cvss 7.5epss 0.01

    In all versions of the package github.com/unknwon/cae/tz, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

  • CVE-2020-7664HigJun 23, 2020
    risk 0.42cvss 7.5epss 0.01

    In all versions of the package github.com/unknwon/cae/zip, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

  • CVE-2020-7650MedMay 29, 2020
    risk 0.42cvss 6.5epss 0.01

    All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.

  • CVE-2020-7648MedMay 29, 2020
    risk 0.42cvss 6.5epss 0.01

    All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`

  • CVE-2020-7652MedMay 29, 2020
    risk 0.42cvss 6.5epss 0.02

    All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal.

  • CVE-2020-1737HigMar 9, 2020
    risk 0.42cvss 7.5epss 0.00

    A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by…

  • CVE-2020-5840HigJan 6, 2020
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in HashBrown CMS before 1.3.2. Server/Entity/Resource/Connection.js allows an attacker to reach a parent directory via a crafted name or ID field.