VYPR

CWE-50

Path Equivalence: '//multiple/leading/slash'

VariantIncomplete

Description

The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Hierarchy (View 1000)

Children

none

CVEs mapped to this weakness (1)

  • CVE-2023-34092Jun 1, 2023
    risk 0.00cvss epss 0.03

    Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application…