CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 38 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-44900 | — | Cri | 0.52 | 9.1 | 0.02 | Dec 6, 2022 | A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file. | |
| CVE-2022-38638 | Cri | 0.52 | 9.1 | 0.01 | Sep 9, 2022 | Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource. | ||
| CVE-2022-1992 | Cri | 0.52 | 9.1 | 0.02 | Jun 9, 2022 | Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. | ||
| CVE-2022-24840 | Cri | 0.52 | 9.1 | 0.02 | Jun 9, 2022 | django-s3file is a lightweight file upload input for Django and Amazon S3 . In versions prior to 5.5.1 it was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. If the `AWS_LOCATION` setting was set, traversal was limited to that location… | ||
| CVE-2022-24303 | — | Cri | 0.52 | 9.1 | 0.03 | Mar 28, 2022 | Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. | |
| CVE-2021-34363 | — | Cri | 0.52 | 9.1 | 0.02 | Jun 10, 2021 | The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion via the "undo archive operation" feature. | |
| CVE-2020-8570 | — | Cri | 0.52 | 9.1 | 0.04 | Jan 21, 2021 | Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system… | |
| CVE-2019-3799 | Med | 0.52 | 6.5 | 0.85 | May 6, 2019 | Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or… | ||
| CVE-2018-7771 | Hig | 0.52 | 8.0 | 0.01 | Jul 3, 2018 | The vulnerability exists within processing of editscript.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. A directory traversal vulnerability allows a caller with standard user privileges to write arbitrary php files anywhere in the web service… | ||
| CVE-2018-3758 | — | Hig | 0.52 | 8.8 | 0.27 | Jun 7, 2018 | Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine. | |
| CVE-2018-11494 | — | Hig | 0.52 | 8.0 | 0.02 | May 26, 2018 | The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remove) that allows attackers to execute arbitrary code if the remove step is skipped, because the attacker can discover a secret temporary directory… | |
| CVE-2018-9110 | — | Cri | 0.52 | 9.1 | 0.03 | Mar 28, 2018 | Studio 42 elFinder before 2.1.37 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process.… | |
| CVE-2018-9109 | — | Cri | 0.52 | 9.1 | 0.03 | Mar 28, 2018 | Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process. | |
| CVE-2018-1323 | Hig | 0.52 | 7.5 | 0.44 | Mar 12, 2018 | The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then… | ||
| CVE-2017-11469 | Hig | 0.52 | 7.5 | 0.05 | Jul 20, 2017 | get2post.php in IDERA Uptime Monitor 7.8 has directory traversal in the file_name parameter. | ||
| CVE-2017-11456 | Hig | 0.52 | 7.5 | 0.09 | Jul 19, 2017 | Geneko GWR routers allow directory traversal sequences starting with a /../ substring, as demonstrated by unauthenticated read access to the configuration file. | ||
| CVE-2015-5609 | Cri | 0.52 | 9.1 | 0.03 | May 23, 2017 | Absolute path traversal vulnerability in the Image Export plugin 1.1 for WordPress allows remote attackers to read and delete arbitrary files via a full pathname in the file parameter to download.php. | ||
| CVE-2016-6896 | Hig | 0.52 | 7.1 | 0.38 | Jan 18, 2017 | Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to… | ||
| CVE-2016-2087 | Hig | 0.52 | 7.4 | 0.09 | Jan 18, 2017 | Directory traversal vulnerability in the client in HexChat 2.11.0 allows remote IRC servers to read or modify arbitrary files via a .. (dot dot) in the server name. | ||
| CVE-2015-8798 | Hig | 0.52 | 8.0 | 0.03 | Jun 8, 2016 | Directory traversal vulnerability in the Management Server in Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for Controllers and Devices (SES:CSP) 6.5.0 before MP1, Critical System Protection… |
- risk 0.52cvss 9.1epss 0.02
A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.
- risk 0.52cvss 9.1epss 0.01
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource.
- risk 0.52cvss 9.1epss 0.02
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
- risk 0.52cvss 9.1epss 0.02
django-s3file is a lightweight file upload input for Django and Amazon S3 . In versions prior to 5.5.1 it was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. If the `AWS_LOCATION` setting was set, traversal was limited to that location…
- risk 0.52cvss 9.1epss 0.03
Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.
- risk 0.52cvss 9.1epss 0.02
The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion via the "undo archive operation" feature.
- risk 0.52cvss 9.1epss 0.04
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system…
- risk 0.52cvss 6.5epss 0.85
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or…
- risk 0.52cvss 8.0epss 0.01
The vulnerability exists within processing of editscript.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. A directory traversal vulnerability allows a caller with standard user privileges to write arbitrary php files anywhere in the web service…
- risk 0.52cvss 8.8epss 0.27
Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.
- risk 0.52cvss 8.0epss 0.02
The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remove) that allows attackers to execute arbitrary code if the remove step is skipped, because the attacker can discover a secret temporary directory…
- risk 0.52cvss 9.1epss 0.03
Studio 42 elFinder before 2.1.37 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process.…
- risk 0.52cvss 9.1epss 0.03
Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process.
- risk 0.52cvss 7.5epss 0.44
The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then…
- risk 0.52cvss 7.5epss 0.05
get2post.php in IDERA Uptime Monitor 7.8 has directory traversal in the file_name parameter.
- risk 0.52cvss 7.5epss 0.09
Geneko GWR routers allow directory traversal sequences starting with a /../ substring, as demonstrated by unauthenticated read access to the configuration file.
- risk 0.52cvss 9.1epss 0.03
Absolute path traversal vulnerability in the Image Export plugin 1.1 for WordPress allows remote attackers to read and delete arbitrary files via a full pathname in the file parameter to download.php.
- risk 0.52cvss 7.1epss 0.38
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to…
- risk 0.52cvss 7.4epss 0.09
Directory traversal vulnerability in the client in HexChat 2.11.0 allows remote IRC servers to read or modify arbitrary files via a .. (dot dot) in the server name.
- risk 0.52cvss 8.0epss 0.03
Directory traversal vulnerability in the Management Server in Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for Controllers and Devices (SES:CSP) 6.5.0 before MP1, Critical System Protection…