VYPR

CWE-29

Path Traversal: '\..\filename'

VariantIncomplete

Description

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (41)

page 2 of 3
  • CVE-2024-8859Mar 20, 2025
    risk 0.00cvss epss 0.03

    A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is…

  • CVE-2024-7774Oct 29, 2024
    risk 0.00cvss epss 0.01

    A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is…

  • CVE-2024-21518Jun 22, 2024
    risk 0.00cvss epss 0.14

    This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary…

  • CVE-2024-3429Jun 6, 2024
    risk 0.00cvss epss 0.28

    A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\lollms\security.py`. This vulnerability allows for arbitrary file reading when the application is running…

  • CVE-2024-2928Jun 6, 2024
    risk 0.00cvss epss 0.22

    A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as…

  • CVE-2024-3848May 16, 2024
    risk 0.00cvss epss 0.43

    A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the…

  • CVE-2024-1561Apr 16, 2024
    risk 0.00cvss epss 0.09

    An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block`…

  • CVE-2024-2083Apr 16, 2024
    risk 0.00cvss epss 0.39

    A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access…

  • CVE-2024-3573Apr 16, 2024
    risk 0.00cvss epss 0.01

    mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file'…

  • CVE-2023-6977Dec 20, 2023
    risk 0.00cvss epss 0.04

    This vulnerability enables malicious users to read sensitive files on the server.

  • CVE-2023-6975Dec 20, 2023
    risk 0.00cvss epss 0.02

    A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

  • CVE-2023-6909Dec 18, 2023
    risk 0.00cvss epss 0.90

    Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

  • CVE-2023-6831Dec 15, 2023
    risk 0.00cvss epss 0.03

    Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

  • CVE-2023-2984May 30, 2023
    risk 0.00cvss epss 0.01

    Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22.

  • CVE-2023-2780May 17, 2023
    risk 0.00cvss epss 0.06

    Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.

  • CVE-2023-1177Mar 24, 2023
    risk 0.00cvss epss 0.69

    Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.

  • CVE-2023-0316Jan 16, 2023
    risk 0.00cvss epss 0.01

    Path Traversal: '\..\filename' in GitHub repository froxlor/froxlor prior to 2.0.0.

  • CVE-2022-25842May 1, 2022
    risk 0.00cvss epss 0.04

    All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable…

  • CVE-2021-23484Jan 28, 2022
    risk 0.00cvss epss 0.02

    The package zip-local before 0.3.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) which can lead to an extraction of a crafted file outside the intended extraction directory.

  • CVE-2021-23391Jun 7, 2021
    risk 0.00cvss epss 0.00

    This affects all versions of package calipso. It is possible for a malicious module to overwrite files on an arbitrary file system through the module install functionality.