Common Weakness Enumeration

CWE-426

Allowed-with-Review

Untrusted Search Path

Abstraction: Base · Status: Stable

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

892 vulnerabilities reference this CWE, most recent first.

GHSA-G46C-8PWJ-QP6C

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an unquoted search path or element vulnerability that has been identified, which may allow an authorized local user to execute arbitrary code and escalate their level of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-26T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an unquoted search path or element vulnerability that has been identified, which may allow an authorized local user to execute arbitrary code and escalate their level of privileges.",
  "id": "GHSA-g46c-8pwj-qp6c",
  "modified": "2022-05-13T01:32:06Z",
  "published": "2022-05-13T01:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5470"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"
    },
    {
      "type": "WEB",
      "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103182"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5P4-4PRV-87HC

Vulnerability from github – Published: 2022-05-14 04:01 – Updated: 2022-05-14 04:01
VLAI
Details

Huawei EC156, EC176, and EC177 USB Modem products with software before UTPS-V200R003B015D02SP07C1014 (23.015.02.07.1014) and before V200R003B015D02SP08C1014 (23.015.02.08.1014) use a weak ACL for the "Mobile Partner" directory, which allows remote attackers to gain SYSTEM privileges by compromising a low privilege account and modifying Mobile Partner.exe.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-8358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-11T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Huawei EC156, EC176, and EC177 USB Modem products with software before UTPS-V200R003B015D02SP07C1014 (23.015.02.07.1014) and before V200R003B015D02SP08C1014 (23.015.02.08.1014) use a weak ACL for the \"Mobile Partner\" directory, which allows remote attackers to gain SYSTEM privileges by compromising a low privilege account and modifying Mobile Partner.exe.",
  "id": "GHSA-g5p4-4prv-87hc",
  "modified": "2022-05-14T04:01:57Z",
  "published": "2022-05-14T04:01:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8358"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/128767/Huawei-Mobile-Partner-DLL-Hijacking.html"
    },
    {
      "type": "WEB",
      "url": "http://www.huawei.com/us/psirt/security-advisories/2014/hw-376152"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/70672"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6G5-57J8-8359

Vulnerability from github – Published: 2022-01-13 00:01 – Updated: 2022-01-20 00:02
VLAI
Details

An untrusted search path vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local attacker with file creation privilege in the Windows root directory (such as C:) to store a program that can then be unintentionally executed by another local user when that user utilizes a Live Terminal session. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-12T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "An untrusted search path vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local attacker with file creation privilege in the Windows root directory (such as C:\\) to store a program that can then be unintentionally executed by another local user when that user utilizes a Live Terminal session. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2.",
  "id": "GHSA-g6g5-57j8-8359",
  "modified": "2022-01-20T00:02:24Z",
  "published": "2022-01-13T00:01:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0014"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2022-0014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G6PP-R2GC-MP5R

Vulnerability from github – Published: 2024-10-02 21:30 – Updated: 2024-10-02 21:30
VLAI
Details

A potential security vulnerability has been identified in the HP One Agent for certain HP PC products, which might allow for escalation of privilege. HP is releasing software updates to mitigate this potential vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-02T20:15:11Z",
    "severity": "HIGH"
  },
  "details": "A potential security vulnerability\nhas been identified in the HP One Agent for certain HP PC products, which might\nallow for escalation of privilege. HP is releasing software updates to mitigate\nthis potential vulnerability.",
  "id": "GHSA-g6pp-r2gc-mp5r",
  "modified": "2024-10-02T21:30:36Z",
  "published": "2024-10-02T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8733"
    },
    {
      "type": "WEB",
      "url": "https://support.hp.com/us-en/document/ish_11270215-11270239-16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G75X-8QQM-2VXP

Vulnerability from github – Published: 2026-03-03 22:08 – Updated: 2026-03-30 13:26
VLAI
Summary
OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks
Details

Summary

tools.exec.safeBins allowlist checks could be bypassed by PATH-hijacked binaries, allowing execution of attacker-controlled trojan binaries under an allowlisted executable name.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published version at triage time: 2026.2.17
  • Affected range: >= 2026.1.21 < 2026.2.18
  • Patched version: 2026.2.19

Impact

In allowlist mode, safeBins validation previously accepted a resolved executable path based on executable name and argument shape, without enforcing trusted executable directories. If an attacker could influence process PATH resolution before gateway startup (or otherwise control the gateway launch environment), a trojan binary with an allowlisted name (for example jq) could be executed.

Severity Rationale

This issue is rated medium because exploitation requires an additional precondition: influencing the gateway process PATH / launch environment. Request-scoped PATH injection is blocked for host execution.

Fix

safeBins now requires the resolved executable path to come from trusted bin directories (system defaults plus gateway startup PATH), closing the bypass.

Fix Commit(s)

  • 28bac46c92069dc728524fbf383024c1b64e5c23

OpenClaw thanks @jackhax for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.1.21"
            },
            {
              "fixed": "2026.2.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T22:08:26Z",
    "nvd_published_at": "2026-03-19T22:16:34Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`tools.exec.safeBins` allowlist checks could be bypassed by PATH-hijacked binaries, allowing execution of attacker-controlled trojan binaries under an allowlisted executable name.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published version at triage time: `2026.2.17`\n- Affected range: `\u003e= 2026.1.21 \u003c 2026.2.18`\n- Patched version: `2026.2.19`\n\n## Impact\n\nIn allowlist mode, `safeBins` validation previously accepted a resolved executable path based on executable name and argument shape, without enforcing trusted executable directories. If an attacker could influence process PATH resolution before gateway startup (or otherwise control the gateway launch environment), a trojan binary with an allowlisted name (for example `jq`) could be executed.\n\n## Severity Rationale\n\nThis issue is rated `medium` because exploitation requires an additional precondition: influencing the gateway process PATH / launch environment. Request-scoped PATH injection is blocked for host execution.\n\n## Fix\n\n`safeBins` now requires the resolved executable path to come from trusted bin directories (system defaults plus gateway startup PATH), closing the bypass.\n\n## Fix Commit(s)\n\n- 28bac46c92069dc728524fbf383024c1b64e5c23\n\nOpenClaw thanks @jackhax for reporting.",
  "id": "GHSA-g75x-8qqm-2vxp",
  "modified": "2026-03-30T13:26:17Z",
  "published": "2026-03-03T22:08:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g75x-8qqm-2vxp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32015"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/28bac46c92069dc728524fbf383024c1b64e5c23"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-path-hijacking-bypass-in-tools-exec-safebins-allowlist-validation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks"
}

GHSA-G7G5-6GX5-WPCQ

Vulnerability from github – Published: 2025-08-13 00:30 – Updated: 2025-08-13 00:30
VLAI
Details

Race condition in the installer for certain Zoom Clients for Windows may allow an unauthenticated user to impact application integrity via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49456"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T23:15:28Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in the installer for certain Zoom Clients for Windows may allow an unauthenticated user to impact  application integrity via local access.",
  "id": "GHSA-g7g5-6gx5-wpcq",
  "modified": "2025-08-13T00:30:56Z",
  "published": "2025-08-13T00:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49456"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25029"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G7WV-3J9Q-38RM

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

Uncontrolled search path in the Intel(R) RealSense(TM) D400 Series UWP driver for Windows 10 before version 6.1.160.22 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-17T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Uncontrolled search path in the Intel(R) RealSense(TM) D400 Series UWP driver for Windows 10 before version 6.1.160.22 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-g7wv-3j9q-38rm",
  "modified": "2022-05-24T19:20:58Z",
  "published": "2022-05-24T19:20:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33063"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00557.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G8R7-88VW-G9XX

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06
VLAI
Details

Untrusted search path vulnerability in the installer of PhishWall Client Internet Explorer version Ver. 3.7.13 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-28T16:59:00Z",
    "severity": "HIGH"
  },
  "details": "Untrusted search path vulnerability in the installer of PhishWall Client Internet Explorer version Ver. 3.7.13 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.",
  "id": "GHSA-g8r7-88vw-g9xx",
  "modified": "2022-05-13T01:06:08Z",
  "published": "2022-05-13T01:06:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2130"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN93699304/index.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securebrain.co.jp/about/news/2017/03/170316.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97113"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G985-WJH9-QXXC

Vulnerability from github – Published: 2026-04-10 19:32 – Updated: 2026-04-14 21:54
VLAI
Summary
PraisonAI Vulnerable to RCE via Automatic tools.py Import
Details

PraisonAI automatically imports ./tools.py from the current working directory when launching certain components. This includes call.py, tool_resolver.py, and CLI tool-loading paths.

A malicious tools.py placed in the process working directory is executed immediately, allowing arbitrary Python code execution in the host environment.

Affected Code

  • call.py → import_tools_from_file()
  • tool_resolver.py → _load_local_tools()
  • tools.py → local tool import flow

PoC

Create tools.py in the directory where PraisonAI is launched:

# tools.py
import os
os.system("echo pwned > /tmp/pwned.txt")

Run any PraisonAI component that loads local tools, for example:

praisonai workflow run safe.yaml

Reproduction Steps

  1. Create a malicious tools.py in the current working directory.
  2. Start PraisonAI or invoke a CLI command that loads local tools.
  3. Verify that /tmp/pwned.txt or the malicious command output exists.

Impact

An attacker who can place or influence tools.py in the working directory can execute arbitrary code in the PraisonAI process, compromising the host and any connected data.

Reporter: Lakshmikanthan K (letchupkt)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.5.139"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonaiagents"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.140"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.5.138"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.139"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:32:32Z",
    "nvd_published_at": "2026-04-14T04:17:11Z",
    "severity": "HIGH"
  },
  "details": "PraisonAI automatically imports `./tools.py` from the current working directory when launching certain components. This includes call.py, tool_resolver.py, and CLI tool-loading paths.\n\nA malicious tools.py placed in the process working directory is executed immediately, allowing arbitrary Python code execution in the host environment.\n\n### Affected Code\n- call.py \u2192 `import_tools_from_file()`\n- tool_resolver.py \u2192 `_load_local_tools()`\n- tools.py \u2192 local tool import flow\n- \n\n### PoC\nCreate tools.py in the directory where PraisonAI is launched:\n\n```python\n# tools.py\nimport os\nos.system(\"echo pwned \u003e /tmp/pwned.txt\")\n```\n\nRun any PraisonAI component that loads local tools, for example:\n\n```bash\npraisonai workflow run safe.yaml\n```\n\n### Reproduction Steps\n1. Create a malicious tools.py in the current working directory.\n2. Start PraisonAI or invoke a CLI command that loads local tools.\n3. Verify that `/tmp/pwned.txt` or the malicious command output exists.\n\n### Impact\nAn attacker who can place or influence tools.py in the working directory can execute arbitrary code in the PraisonAI process, compromising the host and any connected data.\n\n**Reporter:** Lakshmikanthan K (letchupkt)",
  "id": "GHSA-g985-wjh9-qxxc",
  "modified": "2026-04-14T21:54:23Z",
  "published": "2026-04-10T19:32:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40287"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI Vulnerable to RCE via Automatic tools.py Import"
}

GHSA-G997-2WCF-J63G

Vulnerability from github – Published: 2025-01-31 15:30 – Updated: 2025-02-18 21:32
VLAI
Details

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-31T13:15:27Z",
    "severity": "MODERATE"
  },
  "details": "Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39378.",
  "id": "GHSA-g997-2wcf-j63g",
  "modified": "2025-02-18T21:32:35Z",
  "published": "2025-01-31T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24827"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-7841"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.

Mitigation
Implementation

When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Mitigation
Implementation

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Mitigation
Implementation

Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.

Mitigation
Implementation

Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.

CAPEC-38: Leveraging/Manipulating Configuration File Search Paths

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.