CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 68 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16144 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | myserver.alexcthomas18 is a file server. myserver.alexcthomas18 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16143 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | commentapp.stetsonwood is an http server. commentapp.stetsonwood is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16142 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | infraserver is a RESTful server. infraserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16141 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | lab6drewfusbyu is an http server. lab6drewfusbyu is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16140 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | lab6.brit95 is a file server. lab6.brit95 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16139 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | jikes is a file server. jikes is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Accessible files are restricted to files with .htm and .js extensions. | |
| CVE-2017-16135 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | serverzyy is a static file server. serverzyy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16134 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | http_static_simple is an http server. http_static_simple is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16133 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | goserv is an http server. goserv is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16132 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | simple-npm-registry is a local npm package cache. simple-npm-registry is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16131 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | unicorn-list is a web framework. unicorn-list is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16130 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide. exxxxxxxxxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Accessible files are restricted to those with a file extension. Files with no… | ||
| CVE-2017-16125 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | rtcmulticonnection-client is a signaling implementation for RTCMultiConnection.js, a multi-session manager. rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16124 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | node-server-forfront is a simple static file server. node-server-forfront is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16123 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | welcomyzt is a simple file server. welcomyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16122 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | cuciuci is a simple fileserver. cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | ||
| CVE-2017-16121 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | datachannel-client is a signaling implementation for DataChannel.js. datachannel-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16120 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | liyujing is a static file server. liyujing is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16110 | — | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | weather.swlyons is a simple web server for weather updates. weather.swlyons is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. | |
| CVE-2017-16108 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2018 | gaoxiaotingtingting is an HTTP server. gaoxiaotingtingting is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. |
- risk 0.49cvss 7.5epss 0.02
myserver.alexcthomas18 is a file server. myserver.alexcthomas18 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
commentapp.stetsonwood is an http server. commentapp.stetsonwood is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
infraserver is a RESTful server. infraserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
lab6drewfusbyu is an http server. lab6drewfusbyu is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
lab6.brit95 is a file server. lab6.brit95 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
jikes is a file server. jikes is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Accessible files are restricted to files with .htm and .js extensions.
- risk 0.49cvss 7.5epss 0.02
serverzyy is a static file server. serverzyy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
http_static_simple is an http server. http_static_simple is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
goserv is an http server. goserv is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
simple-npm-registry is a local npm package cache. simple-npm-registry is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
unicorn-list is a web framework. unicorn-list is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide. exxxxxxxxxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Accessible files are restricted to those with a file extension. Files with no…
- risk 0.49cvss 7.5epss 0.02
rtcmulticonnection-client is a signaling implementation for RTCMultiConnection.js, a multi-session manager. rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
node-server-forfront is a simple static file server. node-server-forfront is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
welcomyzt is a simple file server. welcomyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
cuciuci is a simple fileserver. cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
datachannel-client is a signaling implementation for DataChannel.js. datachannel-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
liyujing is a static file server. liyujing is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
weather.swlyons is a simple web server for weather updates. weather.swlyons is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
- risk 0.49cvss 7.5epss 0.02
gaoxiaotingtingting is an HTTP server. gaoxiaotingtingting is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.