CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 157 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-41930 | Med | 0.28 | 4.3 | 0.01 | Sep 6, 2023 | Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin. | ||
| CVE-2023-24455 | Med | 0.28 | 4.3 | 0.01 | Jan 26, 2023 | Jenkins visualexpert Plugin 1.3 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Item/Configure permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | ||
| CVE-2023-24449 | Med | 0.28 | 4.3 | 0.01 | Jan 26, 2023 | Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | ||
| CVE-2022-4572 | — | Med | 0.28 | 5.4 | 0.01 | Dec 17, 2022 | A vulnerability, which was classified as problematic, has been found in UBI Reader up to 0.8.0. Affected by this issue is the function ubireader_extract_files of the file ubireader/ubifs/output.py of the component UBIFS File Handler. The manipulation leads to path traversal. The… | |
| CVE-2020-24855 | — | Med | 0.28 | 5.3 | 0.01 | Dec 15, 2022 | Directory Traversal vulnerability in easywebpack-cli before 4.5.2 allows attackers to obtain sensitive information via crafted GET request. | |
| CVE-2020-36565 | Med | 0.28 | 5.3 | 0.01 | Dec 7, 2022 | Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read. | ||
| CVE-2022-3361 | Med | 0.28 | 4.3 | 0.02 | Nov 29, 2022 | The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply… | ||
| CVE-2022-26049 | — | Med | 0.28 | 5.3 | 0.02 | Sep 11, 2022 | This affects the package com.diffplug.gradle:goomph before 3.37.2. It allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an… | |
| CVE-2022-36890 | Med | 0.28 | 4.3 | 0.01 | Jul 27, 2022 | Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the name of files in methods implementing form validation, allowing attackers with Item/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file… | ||
| CVE-2022-34170 | Med | 0.28 | 5.4 | 0.01 | Jun 23, 2022 | In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability… | ||
| CVE-2022-30949 | Med | 0.28 | 5.3 | 0.01 | May 17, 2022 | Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. | ||
| CVE-2021-45452 | — | Med | 0.28 | 5.3 | 0.02 | Jan 5, 2022 | Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. | |
| CVE-2021-43788 | Med | 0.28 | 5.0 | 0.26 | Nov 29, 2021 | Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory. The vulnerability has been patched as of v1.18.5. Users are advised to… | ||
| CVE-2021-32061 | — | Med | 0.28 | 5.3 | 0.02 | Nov 29, 2021 | S3Scanner before 2.0.2 allows Directory Traversal via a crafted bucket, as demonstrated by a ../ substring in a ListBucketResult element. | |
| CVE-2021-36157 | — | Med | 0.28 | 5.3 | 0.01 | Aug 3, 2021 | An issue was discovered in Grafana Cortex through 1.9.0. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Cortex will attempt to parse a… | |
| CVE-2021-28584 | Med | 0.28 | 5.4 | 0.02 | Jun 28, 2021 | Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to… | ||
| CVE-2021-3281 | — | Med | 0.28 | 5.3 | 0.08 | Feb 2, 2021 | In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments. | |
| CVE-2020-35460 | — | Med | 0.28 | 5.3 | 0.02 | Dec 14, 2020 | common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations. | |
| CVE-2020-7790 | — | Med | 0.28 | 5.3 | 0.01 | Dec 11, 2020 | This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF. | |
| CVE-2020-7651 | — | Med | 0.28 | 4.3 | 0.01 | May 29, 2020 | All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API. |
- risk 0.28cvss 4.3epss 0.01
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin.
- risk 0.28cvss 4.3epss 0.01
Jenkins visualexpert Plugin 1.3 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Item/Configure permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
- risk 0.28cvss 4.3epss 0.01
Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
- risk 0.28cvss 5.4epss 0.01
A vulnerability, which was classified as problematic, has been found in UBI Reader up to 0.8.0. Affected by this issue is the function ubireader_extract_files of the file ubireader/ubifs/output.py of the component UBIFS File Handler. The manipulation leads to path traversal. The…
- risk 0.28cvss 5.3epss 0.01
Directory Traversal vulnerability in easywebpack-cli before 4.5.2 allows attackers to obtain sensitive information via crafted GET request.
- risk 0.28cvss 5.3epss 0.01
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
- risk 0.28cvss 4.3epss 0.02
The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply…
- risk 0.28cvss 5.3epss 0.02
This affects the package com.diffplug.gradle:goomph before 3.37.2. It allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an…
- risk 0.28cvss 4.3epss 0.01
Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the name of files in methods implementing form validation, allowing attackers with Item/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file…
- risk 0.28cvss 5.4epss 0.01
In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability…
- risk 0.28cvss 5.3epss 0.01
Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
- risk 0.28cvss 5.3epss 0.02
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
- risk 0.28cvss 5.0epss 0.26
Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory. The vulnerability has been patched as of v1.18.5. Users are advised to…
- risk 0.28cvss 5.3epss 0.02
S3Scanner before 2.0.2 allows Directory Traversal via a crafted bucket, as demonstrated by a ../ substring in a ListBucketResult element.
- risk 0.28cvss 5.3epss 0.01
An issue was discovered in Grafana Cortex through 1.9.0. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Cortex will attempt to parse a…
- risk 0.28cvss 5.4epss 0.02
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to…
- risk 0.28cvss 5.3epss 0.08
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
- risk 0.28cvss 5.3epss 0.02
common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations.
- risk 0.28cvss 5.3epss 0.01
This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.
- risk 0.28cvss 4.3epss 0.01
All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API.