CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1989 vulnerabilities reference this CWE, most recent first.
GHSA-M733-5W8F-5GGW
Vulnerability from github – Published: 2026-01-26 21:02 – Updated: 2026-01-29 03:23Summary
When pnpm installs a file: (directory) or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., /etc/passwd, ~/.ssh/id_rsa) causes pnpm to copy that file's contents into node_modules, leaking local data.
Preconditions: Only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.
Details
The vulnerability exists in store/cafs/src/addFilesFromDir.ts. The code uses fs.statSync() and readFileSync() which follow symlinks by default:
const absolutePath = path.join(dirname, relativePath)
const stat = fs.statSync(absolutePath) // Follows symlinks!
const buffer = fs.readFileSync(absolutePath) // Reads symlink TARGET
There is no check that absolutePath resolves to a location inside the package directory.
PoC
# Create malicious package
mkdir -p /tmp/evil && cd /tmp/evil
ln -s /etc/passwd leaked-passwd.txt
echo '{"name":"evil","version":"1.0.0","files":["*.txt"]}' > package.json
# Victim installs
mkdir /tmp/victim && cd /tmp/victim
pnpm init && pnpm add file:../evil
# Leaked!
cat node_modules/evil/leaked-passwd.txt
Impact
- Developers installing local/file dependencies
- CI/CD pipelines installing git dependencies
- Credential theft via symlinks to
~/.aws/credentials,~/.npmrc,~/.ssh/id_rsa
Suggested Fix
Use lstatSync to detect symlinks and reject those pointing outside the package root in store/cafs/src/addFilesFromDir.ts.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.28.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24056"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-26T21:02:33Z",
"nvd_published_at": "2026-01-26T22:15:56Z",
"severity": "MODERATE"
},
"details": "### Summary\nWhen pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file\u0027s contents into `node_modules`, leaking local data.\n\n**Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.\n\n### Details\nThe vulnerability exists in `store/cafs/src/addFilesFromDir.ts`. The code uses `fs.statSync()` and `readFileSync()` which follow symlinks by default:\n\n```typescript\nconst absolutePath = path.join(dirname, relativePath)\nconst stat = fs.statSync(absolutePath) // Follows symlinks!\nconst buffer = fs.readFileSync(absolutePath) // Reads symlink TARGET\n```\n\nThere is no check that `absolutePath` resolves to a location inside the package directory.\n\n### PoC\n```bash\n# Create malicious package\nmkdir -p /tmp/evil \u0026\u0026 cd /tmp/evil\nln -s /etc/passwd leaked-passwd.txt\necho \u0027{\"name\":\"evil\",\"version\":\"1.0.0\",\"files\":[\"*.txt\"]}\u0027 \u003e package.json\n\n# Victim installs\nmkdir /tmp/victim \u0026\u0026 cd /tmp/victim\npnpm init \u0026\u0026 pnpm add file:../evil\n\n# Leaked!\ncat node_modules/evil/leaked-passwd.txt\n```\n\n### Impact\n- Developers installing local/file dependencies\n- CI/CD pipelines installing git dependencies\n- Credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`\n\n### Suggested Fix\nUse `lstatSync` to detect symlinks and reject those pointing outside the package root in `store/cafs/src/addFilesFromDir.ts`.",
"id": "GHSA-m733-5w8f-5ggw",
"modified": "2026-01-29T03:23:22Z",
"published": "2026-01-26T21:02:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24056"
},
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f"
},
{
"type": "PACKAGE",
"url": "https://github.com/pnpm/pnpm"
},
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "pnpm has symlink traversal in file:/git dependencies"
}
GHSA-M77G-9R5H-645W
Vulnerability from github – Published: 2022-05-03 03:18 – Updated: 2022-05-03 03:18cfgcon in IBM AIX 5.2 and 5.3 does not properly validate the argument to the "-p" option to swcons, which allows local users in the system group to create an arbitrary file, and enable world writability of this file, via a symlink attack involving use of the file's name as the argument. NOTE: this issue is due to an incomplete fix for CVE-2007-5804.
{
"affected": [],
"aliases": [
"CVE-2007-5805"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-11-05T17:46:00Z",
"severity": "MODERATE"
},
"details": "cfgcon in IBM AIX 5.2 and 5.3 does not properly validate the argument to the \"-p\" option to swcons, which allows local users in the system group to create an arbitrary file, and enable world writability of this file, via a symlink attack involving use of the file\u0027s name as the argument. NOTE: this issue is due to an incomplete fix for CVE-2007-5804.",
"id": "GHSA-m77g-9r5h-645w",
"modified": "2022-05-03T03:18:26Z",
"published": "2022-05-03T03:18:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5805"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38154"
},
{
"type": "WEB",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=611"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27437"
},
{
"type": "WEB",
"url": "http://www-1.ibm.com/support/docview.wss?uid=isg1IZ03055"
},
{
"type": "WEB",
"url": "http://www-1.ibm.com/support/docview.wss?uid=isg1IZ03061"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/26258"
},
{
"type": "WEB",
"url": "http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoeblist?mode=7\u0026heading=AIX53\u0026path=%2F200710%2FSECURITY%2F20071030%2Fdatafile100405"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M7CP-W3XH-QR3P
Vulnerability from github – Published: 2023-02-16 18:30 – Updated: 2023-02-27 18:32In Eternal Terminal 6.2.1, TelemetryService uses fixed paths in /tmp. For example, a local attacker can create /tmp/.sentry-native-etserver with mode 0777 before the etserver process is started. The attacker can choose to read sensitive information from that file, or modify the information in that file.
{
"affected": [],
"aliases": [
"CVE-2023-23558"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-16T16:15:00Z",
"severity": "MODERATE"
},
"details": "In Eternal Terminal 6.2.1, TelemetryService uses fixed paths in /tmp. For example, a local attacker can create /tmp/.sentry-native-etserver with mode 0777 before the etserver process is started. The attacker can choose to read sensitive information from that file, or modify the information in that file.",
"id": "GHSA-m7cp-w3xh-qr3p",
"modified": "2023-02-27T18:32:01Z",
"published": "2023-02-16T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23558"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1207126"
},
{
"type": "WEB",
"url": "https://github.com/MisterTea/EternalTerminal"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/02/16/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M82X-J38M-84QV
Vulnerability from github – Published: 2022-04-29 03:00 – Updated: 2024-01-26 18:30Portage before 2.0.50-r3 allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.
{
"affected": [],
"aliases": [
"CVE-2004-1901"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2004-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "Portage before 2.0.50-r3 allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.",
"id": "GHSA-m82x-j38m-84qv",
"modified": "2024-01-26T18:30:30Z",
"published": "2022-04-29T03:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2004-1901"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/15754"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/11305"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200404-01.xml"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/10060"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M856-89MJ-R6PG
Vulnerability from github – Published: 2025-10-01 15:30 – Updated: 2025-10-01 15:30Improper handling of symbolic links in the TeamViewer Full Client and Host for Windows — in versions prior to 15.70 of TeamViewer Remote and Tensor — allows an attacker with local, unprivileged access to a device lacking adequate malware protection to escalate privileges by spoofing the update file path. This may result in unauthorized access to sensitive information.
{
"affected": [],
"aliases": [
"CVE-2025-41421"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T14:15:39Z",
"severity": "MODERATE"
},
"details": "Improper handling of symbolic links in the TeamViewer Full Client and Host for Windows \u2014 in versions prior to 15.70 of TeamViewer Remote and Tensor \u2014 allows an attacker with local, unprivileged access to a device lacking adequate malware protection to escalate privileges by spoofing the update file path. This may result in unauthorized access to sensitive information.",
"id": "GHSA-m856-89mj-r6pg",
"modified": "2025-10-01T15:30:34Z",
"published": "2025-10-01T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41421"
},
{
"type": "WEB",
"url": "https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M8G5-JR5H-6C6F
Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34Improper link resolution before file access ('link following') in Windows Installer allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-27727"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T18:16:00Z",
"severity": "HIGH"
},
"details": "Improper link resolution before file access (\u0027link following\u0027) in Windows Installer allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-m8g5-jr5h-6c6f",
"modified": "2025-04-08T18:34:52Z",
"published": "2025-04-08T18:34:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27727"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27727"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M8M3-V647-2HVV
Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2024-11-23 03:31Avast Cleanup Premium Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Cleanup Premium. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the Avast Cleanup Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22893.
{
"affected": [],
"aliases": [
"CVE-2024-7230"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T22:15:15Z",
"severity": "HIGH"
},
"details": "Avast Cleanup Premium Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Cleanup Premium. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Avast Cleanup Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22893.",
"id": "GHSA-m8m3-v647-2hvv",
"modified": "2024-11-23T03:31:58Z",
"published": "2024-11-23T03:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7230"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1000"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M8QC-MF6P-PFQ9
Vulnerability from github – Published: 2020-03-11 20:56 – Updated: 2024-10-26 22:44python-rply before 0.7.4 insecurely creates temporary files.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rply"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-1938"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2020-03-11T20:55:50Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "python-rply before 0.7.4 insecurely creates temporary files.",
"id": "GHSA-m8qc-mf6p-pfq9",
"modified": "2024-10-26T22:44:05Z",
"published": "2020-03-11T20:56:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1938"
},
{
"type": "WEB",
"url": "https://github.com/alex/rply/issues/42"
},
{
"type": "WEB",
"url": "https://github.com/alex/rply/commit/76d268a38c627bf4aebebcd064f5b6d380eb8b20"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737627"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m8qc-mf6p-pfq9"
},
{
"type": "PACKAGE",
"url": "https://github.com/alex/rply"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/rply/PYSEC-2019-202.yaml"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2014-1938"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/02/11/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Link Following in rply"
}
GHSA-M8V2-6WWH-R4GC
Vulnerability from github – Published: 2026-03-03 23:10 – Updated: 2026-03-18 21:52Summary
In openclaw up to and including 2026.2.23 (latest npm release as of February 24, 2026), sandbox bind-source validation could be bypassed when a bind source used a symlinked parent plus a non-existent leaf path.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.23 - Patched:
>= 2026.2.24(planned next release)
Root Cause
validateBindMounts previously relied on full-path realpath only when the full source path already existed. For missing-leaf paths, parent symlink traversal was not fully canonicalized before allowed-root and blocked-path checks.
Security Impact
A source path that looked inside an allowed root could resolve outside that root (including blocked runtime paths) once the missing leaf was created, weakening sandbox bind-source boundary enforcement.
Fix
The validation path now canonicalizes through the nearest existing ancestor, then always re-checks the canonical path against both: - allowed source roots - blocked runtime paths
Verification
pnpm checkpnpm exec vitest run --config vitest.gateway.config.tspnpm test:fast- Added regression tests for symlink-parent + missing-leaf bypass patterns.
Fix Commit(s)
b5787e4abba0dcc6baf09051099f6773c1679ec1
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.24) so after npm publish the advisory can be published without further field edits.
OpenClaw thanks @tdjackey for reporting.
Publication Update (2026-02-25)
openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.23"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27523"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T23:10:01Z",
"nvd_published_at": "2026-03-18T02:16:23Z",
"severity": "HIGH"
},
"details": "### Summary\nIn `openclaw` up to and including **2026.2.23** (latest npm release as of **February 24, 2026**), sandbox bind-source validation could be bypassed when a bind source used a symlinked parent plus a non-existent leaf path.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.23`\n- Patched: `\u003e= 2026.2.24` (planned next release)\n\n### Root Cause\n`validateBindMounts` previously relied on full-path realpath only when the full source path already existed. For missing-leaf paths, parent symlink traversal was not fully canonicalized before allowed-root and blocked-path checks.\n\n### Security Impact\nA source path that looked inside an allowed root could resolve outside that root (including blocked runtime paths) once the missing leaf was created, weakening sandbox bind-source boundary enforcement.\n\n### Fix\nThe validation path now canonicalizes through the nearest existing ancestor, then always re-checks the canonical path against both:\n- allowed source roots\n- blocked runtime paths\n\n### Verification\n- `pnpm check`\n- `pnpm exec vitest run --config vitest.gateway.config.ts`\n- `pnpm test:fast`\n- Added regression tests for symlink-parent + missing-leaf bypass patterns.\n\n### Fix Commit(s)\n- `b5787e4abba0dcc6baf09051099f6773c1679ec1`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.24`) so after npm publish the advisory can be published without further field edits.\n\nOpenClaw thanks @tdjackey for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `\u003e= 2026.2.24` as patched.",
"id": "GHSA-m8v2-6wwh-r4gc",
"modified": "2026-03-18T21:52:35Z",
"published": "2026-03-03T23:10:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m8v2-6wwh-r4gc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27523"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/b5787e4abba0dcc6baf09051099f6773c1679ec1"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-sandbox-bind-validation-bypass-via-symlink-parent-missing-leaf-paths"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw\u0027s sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths"
}
GHSA-M923-RJ4W-WVH7
Vulnerability from github – Published: 2022-05-17 05:03 – Updated: 2022-05-17 05:03Red Hat Storage 2.0 allows local users to overwrite arbitrary files via a symlink attack on the (1) e, (2) local-bricks.list, (3) bricks.err, or (4) limits.conf files in /tmp.
{
"affected": [],
"aliases": [
"CVE-2013-4157"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-10-04T17:55:00Z",
"severity": "LOW"
},
"details": "Red Hat Storage 2.0 allows local users to overwrite arbitrary files via a symlink attack on the (1) e, (2) local-bricks.list, (3) bricks.err, or (4) limits.conf files in /tmp.",
"id": "GHSA-m923-rj4w-wvh7",
"modified": "2022-05-17T05:03:07Z",
"published": "2022-05-17T05:03:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4157"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2013:1205"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2013-4157"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=986516"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1205.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.