Common Weakness Enumeration

CWE-23

Allowed

Relative Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

778 vulnerabilities reference this CWE, most recent first.

GHSA-5H78-3W3C-QH32

Vulnerability from github – Published: 2025-11-28 09:30 – Updated: 2025-11-28 09:30
VLAI
Details

WebITR developed by Uniong has an Arbitrary File Read vulnerability, allowing authenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-28T08:15:54Z",
    "severity": "HIGH"
  },
  "details": "WebITR developed by Uniong has an Arbitrary File Read vulnerability, allowing authenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.",
  "id": "GHSA-5h78-3w3c-qh32",
  "modified": "2025-11-28T09:30:17Z",
  "published": "2025-11-28T09:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13771"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5Q32-895V-VF2F

Vulnerability from github – Published: 2024-03-08 15:30 – Updated: 2025-06-10 09:30
VLAI
Details

A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: '../filedir'. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256272. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23",
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-08T13:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: \u0027../filedir\u0027. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256272. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-5q32-895v-vf2f",
  "modified": "2025-06-10T09:30:30Z",
  "published": "2024-03-08T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2318"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/whiteman007/a3b25a7ddf38774329d72930e0cd841a"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.256272"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.256272"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.288530"
    },
    {
      "type": "WEB",
      "url": "https://www.zkteco.com/en/Security_Bulletinsibs/11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5Q6C-FFVG-XCM9

Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2025-04-08 22:00
VLAI
Summary
Remote code execution in mlflow
Details

A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the mlflow.data.http_dataset_source.py module. Specifically, when loading a dataset from a source URL with an HTTP scheme, the filename extracted from the Content-Disposition header or the URL path is used to generate the final file path without proper sanitization. This flaw enables an attacker to control the file path fully by utilizing path traversal or absolute path techniques, such as '../../tmp/poc.txt' or '/tmp/poc.txt', leading to arbitrary file write. Exploiting this vulnerability could allow a malicious user to execute commands on the vulnerable machine, potentially gaining access to data and model information. The issue is fixed in version 2.9.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-0520"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-06T22:15:31Z",
    "nvd_published_at": "2024-06-06T19:15:51Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command (\u0027Command Injection\u0027) within the `mlflow.data.http_dataset_source.py` module. Specifically, when loading a dataset from a source URL with an HTTP scheme, the filename extracted from the `Content-Disposition` header or the URL path is used to generate the final file path without proper sanitization. This flaw enables an attacker to control the file path fully by utilizing path traversal or absolute path techniques, such as \u0027../../tmp/poc.txt\u0027 or \u0027/tmp/poc.txt\u0027, leading to arbitrary file write. Exploiting this vulnerability could allow a malicious user to execute commands on the vulnerable machine, potentially gaining access to data and model information. The issue is fixed in version 2.9.0.",
  "id": "GHSA-5q6c-ffvg-xcm9",
  "modified": "2025-04-08T22:00:47Z",
  "published": "2024-06-06T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0520"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/400c226953b4568f4361bc0a0c223511652c2b9d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-239.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/93e470d7-b6f0-409b-af63-49d3e2a26dbc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote code execution in mlflow"
}

GHSA-5Q89-432M-P2WV

Vulnerability from github – Published: 2025-09-24 15:31 – Updated: 2025-09-24 15:31
VLAI
Details

nncp before 8.12.0 allows path traversal (for reading or writing) during freqing and file saving via a crafted path in packet data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-24T13:15:36Z",
    "severity": "MODERATE"
  },
  "details": "nncp before 8.12.0 allows path traversal (for reading or writing) during freqing and file saving via a crafted path in packet data.",
  "id": "GHSA-5q89-432m-p2wv",
  "modified": "2025-09-24T15:31:13Z",
  "published": "2025-09-24T15:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60020"
    },
    {
      "type": "WEB",
      "url": "http://lists.cypherpunks.su/archive/nncp-devel/CAO-d-4riai9EZx4gVfekow-BCtTn07k8BB1ZdsopPVw=scWD1A@mail.gmail.com/T/#md678a00df1020bb811f47f42ef33c54b789cddd7"
    },
    {
      "type": "WEB",
      "url": "http://www.nncpgo.org/Release-8_005f12_005f0.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5XG3-J2J6-RCX4

Vulnerability from github – Published: 2021-08-25 21:01 – Updated: 2021-09-09 16:46
VLAI
Summary
Relative Path Traversal in git-delta
Details

git-delta before 0.8.3 on Windows resolves an executable's pathname as a relative path from the current directory.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "git-delta"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-36376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23",
      "CWE-427"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-14T19:06:14Z",
    "nvd_published_at": "2021-07-13T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "git-delta before 0.8.3 on Windows resolves an executable\u0027s pathname as a relative path from the current directory.",
  "id": "GHSA-5xg3-j2j6-rcx4",
  "modified": "2021-09-09T16:46:42Z",
  "published": "2021-08-25T21:01:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36376"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dandavison/delta/commit/f01846bd443aaf92fdd5ac20f461beac3f6ee3fd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dandavison/delta"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dandavison/delta/releases/tag/0.8.3"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0105.html"
    },
    {
      "type": "WEB",
      "url": "https://vuln.ryotak.me/advisories/54"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Relative Path Traversal in git-delta"
}

GHSA-62V5-4XC7-QM62

Vulnerability from github – Published: 2026-07-03 21:31 – Updated: 2026-07-03 21:31
VLAI
Details

Relative path traversal in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T21:17:02Z",
    "severity": "HIGH"
  },
  "details": "Relative path traversal in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.",
  "id": "GHSA-62v5-4xc7-qm62",
  "modified": "2026-07-03T21:31:39Z",
  "published": "2026-07-03T21:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57988"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57988"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-63P8-63FF-XR65

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2022-07-03 00:00
VLAI
Summary
ZipSlip vulnerability in bblfshd
Details

bblfshd is an open source self-hosted server for source code parsing. In bblfshd before commit 4265465b9b6fb5663c30ee43806126012066aad4 there is a "zipslip" vulnerability. The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder. This issue may lead to arbitrary file write (with same permissions as the program running the unpack operation) if the attacker can control the archive file. Additionally, if the attacker has read access to the unpacked files, he may be able to read arbitrary system files the parent process has permissions to read. For more details including a PoC see the referenced GHSL-2020-258.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32825"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-16T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "bblfshd is an open source self-hosted server for source code parsing. In bblfshd before commit 4265465b9b6fb5663c30ee43806126012066aad4 there is a \"zipslip\" vulnerability. The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder. This issue may lead to arbitrary file write (with same permissions as the program running the unpack operation) if the attacker can control the archive file. Additionally, if the attacker has read access to the unpacked files, he may be able to read arbitrary system files the parent process has permissions to read. For more details including a PoC see the referenced GHSL-2020-258.",
  "id": "GHSA-63p8-63ff-xr65",
  "modified": "2022-07-03T00:00:24Z",
  "published": "2022-05-24T22:01:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32825"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bblfsh/bblfshd/pull/341"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bblfsh/bblfshd/commit/4265465b9b6fb5663c30ee43806126012066aad4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bblfsh/bblfshd"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2020-258-zipslip-bblfshd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ZipSlip vulnerability in bblfshd"
}

GHSA-645J-CM4X-3XVW

Vulnerability from github – Published: 2026-05-21 21:30 – Updated: 2026-06-23 22:56
VLAI
Summary
Concrete CMS Vulnerable to Relative Path Traversal
Details

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. Concrete CMS thanks Yonatan Drori (Tenzai) for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "concrete5/concrete5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-8134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T22:56:36Z",
    "nvd_published_at": "2026-05-21T21:16:32Z",
    "severity": "CRITICAL"
  },
  "details": "Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader\u0027s extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in\u00a0authenticated remote code execution.\u00a0Concrete CMS thanks\u00a0Yonatan Drori\u00a0(Tenzai)\u00a0for reporting this issue.",
  "id": "GHSA-645j-cm4x-3xvw",
  "modified": "2026-06-23T22:56:36Z",
  "published": "2026-05-21T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8134"
    },
    {
      "type": "WEB",
      "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/concretecms/concretecms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Concrete CMS Vulnerable to Relative Path Traversal"
}

GHSA-64QX-VPXX-MVQF

Vulnerability from github – Published: 2026-02-17 16:43 – Updated: 2026-03-06 01:00
VLAI
Summary
OpenClaw has an arbitrary transcript path file write via gateway sessionFile
Details

Summary

In OpenClaw versions prior to 2026.2.12, the gateway accepted an untrusted sessionFile path when resolving the session transcript file. This could allow an authenticated gateway client to create and append OpenClaw session transcript records at an arbitrary path on the gateway host.

Affected Versions

  • Affected: openclaw < 2026.2.12
  • Patched: openclaw >= 2026.2.12 (recommended: >= 2026.2.13)

Impact

An authenticated gateway client could influence where the gateway writes transcript data by supplying sessionFile outside of the sessions directory. Depending on deployment and filesystem permissions, this may enable arbitrary file creation and repeated appends, leading to configuration corruption and/or denial of service.

This issue does not, by itself, provide a proven remote code execution path.

Fix

The transcript path is now constrained to the sessions directory via resolveSessionFilePath(...) containment checks.

Fix commits: - 4199f9889f0c307b77096a229b9e085b8d856c26 - (compat) 25950bcbb8ba4d8cde002557f6e27c219ae4deda

Credits

Thanks to @tubadeligoz for the report.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23",
      "CWE-284",
      "CWE-73",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T16:43:51Z",
    "nvd_published_at": "2026-03-05T22:16:18Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nIn OpenClaw versions prior to 2026.2.12, the gateway accepted an untrusted `sessionFile` path when resolving the session transcript file. This could allow an authenticated gateway client to create and append OpenClaw session transcript records at an arbitrary path on the gateway host.\n\n## Affected Versions\n\n- Affected: openclaw `\u003c 2026.2.12`\n- Patched: openclaw `\u003e= 2026.2.12` (recommended: `\u003e= 2026.2.13`)\n\n## Impact\n\nAn authenticated gateway client could influence where the gateway writes transcript data by supplying `sessionFile` outside of the sessions directory. Depending on deployment and filesystem permissions, this may enable arbitrary file creation and repeated appends, leading to configuration corruption and/or denial of service.\n\nThis issue does not, by itself, provide a proven remote code execution path.\n\n## Fix\n\nThe transcript path is now constrained to the sessions directory via `resolveSessionFilePath(...)` containment checks.\n\nFix commits:\n- 4199f9889f0c307b77096a229b9e085b8d856c26\n- (compat) 25950bcbb8ba4d8cde002557f6e27c219ae4deda\n\n## Credits\n\nThanks to @tubadeligoz for the report.",
  "id": "GHSA-64qx-vpxx-mvqf",
  "modified": "2026-03-06T01:00:19Z",
  "published": "2026-02-17T16:43:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28459"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/25950bcbb8ba4d8cde002557f6e27c219ae4deda"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.12"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-untrusted-sessionfile-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw has an arbitrary transcript path file write via gateway sessionFile"
}

GHSA-653F-V7GF-V92Q

Vulnerability from github – Published: 2022-12-28 18:30 – Updated: 2023-01-06 21:30
VLAI
Details

There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-28T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets).",
  "id": "GHSA-653f-v7gf-v92q",
  "modified": "2023-01-06T21:30:41Z",
  "published": "2022-12-28T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38202"
    },
    {
      "type": "WEB",
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2022-update-2-patch-is-now-available"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.