Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1992 vulnerabilities reference this CWE, most recent first.

GHSA-GRQM-6JMC-2H46

Vulnerability from github – Published: 2022-04-22 00:24 – Updated: 2025-08-04 21:30
VLAI
Details

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-4116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-31T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.",
  "id": "GHSA-grqm-6jmc-2h46",
  "modified": "2025-08-04T21:30:35Z",
  "published": "2022-04-22T00:24:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14"
    },
    {
      "type": "WEB",
      "url": "https://rt.cpan.org/Public/Bug/Display.html?id=69106"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/oss-sec/2011/q4/238"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/11/04/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/11/04/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GRV5-4XR2-Q4P5

Vulnerability from github – Published: 2022-05-17 00:22 – Updated: 2025-04-20 03:47
VLAI
Details

foo2zjs before 20110722dfsg-3ubuntu1 as packaged in Ubuntu, 20110722dfsg-1 as packaged in Debian unstable, and 20090908dfsg-5.1+squeeze0 as packaged in Debian squeeze create temporary files insecurely, which allows local users to write over arbitrary files via a symlink attack on /tmp/foo2zjs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-2684"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-23T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "foo2zjs before 20110722dfsg-3ubuntu1 as packaged in Ubuntu, 20110722dfsg-1 as packaged in Debian unstable, and 20090908dfsg-5.1+squeeze0 as packaged in Debian squeeze create temporary files insecurely, which allows local users to write over arbitrary files via a symlink attack on /tmp/foo2zjs.",
  "id": "GHSA-grv5-4xr2-q4p5",
  "modified": "2025-04-20T03:47:33Z",
  "published": "2022-05-17T00:22:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2684"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633870"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/ubuntu/+source/foo2zjs/+bug/805370"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2011-2684"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/07/06/10"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/02/08/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GVJC-4RFJ-MXXJ

Vulnerability from github – Published: 2026-06-13 03:30 – Updated: 2026-06-30 03:37
VLAI
Details

A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54230"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-13T03:16:21Z",
    "severity": "HIGH"
  },
  "details": "A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system.",
  "id": "GHSA-gvjc-4rfj-mxxj",
  "modified": "2026-06-30T03:37:03Z",
  "published": "2026-06-13T03:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54230"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-54230"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488568"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54230.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GVQJ-CJP6-GRRV

Vulnerability from github – Published: 2024-01-23 21:30 – Updated: 2024-07-03 18:33
VLAI
Details

A link following vulnerability in the Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-23T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "A link following vulnerability in the Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
  "id": "GHSA-gvqj-cjp6-grrv",
  "modified": "2024-07-03T18:33:23Z",
  "published": "2024-01-23T21:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52338"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/dcx/s/solution/000296337?language=en_US"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-076"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GVRG-2XVQ-7J38

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

w3m through 0.5.3 does not properly handle temporary files when the ~/.w3m directory is unwritable, which allows a local attacker to craft a symlink attack to overwrite arbitrary files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-25T03:29:00Z",
    "severity": "MODERATE"
  },
  "details": "w3m through 0.5.3 does not properly handle temporary files when the ~/.w3m directory is unwritable, which allows a local attacker to craft a symlink attack to overwrite arbitrary files.",
  "id": "GHSA-gvrg-2xvq-7j38",
  "modified": "2022-05-13T01:53:03Z",
  "published": "2022-05-13T01:53:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6198"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tats/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/888097"
    },
    {
      "type": "WEB",
      "url": "https://salsa.debian.org/debian/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3555-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3555-2"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102855"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GWM6-Q8CH-HCFR

Vulnerability from github – Published: 2026-07-06 19:54 – Updated: 2026-07-06 19:54
VLAI
Summary
install -D: symlink race in directory creation allows arbitrary file overwrite
Details

The -D path runs fs::create_dir_all on a pathname then later opens the destination via path-based File::create/fs::copy, neither anchored to a directory fd. Between the two, an attacker can replace a path component with a symlink, redirecting the write.

Impact: an attacker with concurrent write access to the destination tree can redirect a privileged install -D to an arbitrary location, enabling arbitrary file overwrite with attacker-controlled content. Recommendation: use dirfd-based traversal (openat/mkdirat + O_NOFOLLOW) per component and create the destination via openat on the same dirfd.

Remediation: Acknowledged by Canonical; fixed in commit 0c412999.


Reported by Zellic in the uutils coreutils Program Security Assessment (prepared for Canonical, Jan 20 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.51. Credit: Zellic.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "uu_install"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T19:54:56Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The `-D` path runs `fs::create_dir_all` on a pathname then later opens the destination via path-based `File::create`/`fs::copy`, neither anchored to a directory fd. Between the two, an attacker can replace a path component with a symlink, redirecting the write.\n\n**Impact:** an attacker with concurrent write access to the destination tree can redirect a privileged `install -D` to an arbitrary location, enabling arbitrary file overwrite with attacker-controlled content. Recommendation: use dirfd-based traversal (`openat`/`mkdirat` + `O_NOFOLLOW`) per component and create the destination via `openat` on the same dirfd.\n\n**Remediation:** Acknowledged by Canonical; fixed in commit 0c412999.\n\n---\n_Reported by Zellic in the *uutils coreutils Program Security Assessment* (prepared for Canonical, Jan 20 2026), audited commit `3a07ffc5a9bd4c283e75afa548ba1f1957bad242`. Finding 3.51. Credit: Zellic._",
  "id": "GHSA-gwm6-q8ch-hcfr",
  "modified": "2026-07-06T19:54:56Z",
  "published": "2026-07-06T19:54:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/uutils/coreutils/security/advisories/GHSA-gwm6-q8ch-hcfr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35356"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uutils/coreutils/pull/10140"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uutils/coreutils/commit/0c41299975f3c1e21cf5ca968d42cad55ceb42a1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/uutils/coreutils"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uutils/coreutils/releases/tag/0.7.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "install -D: symlink race in directory creation allows arbitrary file overwrite"
}

GHSA-GWXW-RJ4R-JXQV

Vulnerability from github – Published: 2023-07-05 12:30 – Updated: 2024-01-07 12:30
VLAI
Details

Uploading files which contain symlinks may have allowed an attacker to trick a user into submitting sensitive data to a malicious website. This vulnerability affects Firefox < 115.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-05T10:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Uploading files which contain symlinks may have allowed an attacker to trick a user into submitting sensitive data to a malicious website. This vulnerability affects Firefox \u003c 115.",
  "id": "GHSA-gwxw-rj4r-jxqv",
  "modified": "2024-01-07T12:30:29Z",
  "published": "2023-07-05T12:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37206"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1813299"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-10"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2023-22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GX69-6CP4-HXRJ

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2023-03-08 20:17
VLAI
Summary
RubyGems Link Following vulnerability
Details

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rubygems-update"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jruby:jruby-stdlib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.1.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-08T20:17:23Z",
    "nvd_published_at": "2018-03-13T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in `install_location` function of `package.rb` that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.",
  "id": "GHSA-gx69-6cp4-hxrj",
  "modified": "2023-03-08T20:17:23Z",
  "published": "2022-05-13T01:18:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000073"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4259"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4219"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3621-1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubygems-update/CVE-2018-1000073.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rubygems/rubygems"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925986"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0663"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0591"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0542"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2028"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3731"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3730"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3729"
    },
    {
      "type": "WEB",
      "url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RubyGems Link Following vulnerability"
}

GHSA-GXFM-293Q-5F27

Vulnerability from github – Published: 2025-12-15 03:30 – Updated: 2025-12-15 03:30
VLAI
Details

A vulnerability has been found in Ugreen DH2100+ up to 5.3.0. This affects an unknown function of the component USB Handler. Such manipulation leads to symlink following. The attack can be executed directly on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-15T01:15:37Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been found in Ugreen DH2100+ up to 5.3.0. This affects an unknown function of the component USB Handler. Such manipulation leads to symlink following. The attack can be executed directly on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-gxfm-293q-5f27",
  "modified": "2025-12-15T03:30:17Z",
  "published": "2025-12-15T03:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14693"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.336411"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.336411"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.704646"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.704657"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/2bc6cf4e528a8083bf3fc6f7a953f0a1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GXFX-4M5Q-QCQF

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2025-10-22 00:31
VLAI
Details

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1129.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-15T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka \u0027Windows Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2019-1129.",
  "id": "GHSA-gxfx-4m5q-qcqf",
  "modified": "2025-10-22T00:31:42Z",
  "published": "2022-05-24T16:50:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1130"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1130"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1130"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.