CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1990 vulnerabilities reference this CWE, most recent first.
GHSA-2JQ4-Q6VV-4CP3
Vulnerability from github – Published: 2026-06-18 17:25 – Updated: 2026-06-18 17:25Summary
When the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path (e.g. /etc/cron.d/evil) or ../ traversal escaped the downloads directory, giving an arbitrary file write with attacker-controlled contents. Because the written bytes are attacker-controlled, this escalates to remote code execution (overwriting a shell rc-file, ~/.ssh/authorized_keys, a cron entry, or a Python module on the import path).
Affected paths
Two download sinks in crawl4ai/async_crawler_strategy.py:
- HTTP crawler (AsyncHTTPCrawlerStrategy): the filename is parsed from the response Content-Disposition header by _extract_filename() and written via aiofiles.open(filepath, 'wb'). Reachable directly via the SDK, and via the unauthenticated Docker /crawl endpoint when an HTTPCrawlerConfig is supplied.
- Browser crawler (AsyncPlaywrightCrawlerStrategy): the download's suggested_filename (controllable by the visited page) is joined to downloads_path and written via download.save_as().
The HTTP-strategy sink is reachable pre-auth on the default Docker deployment; both are reachable for SDK users simply by crawling an attacker-controlled URL. The default Playwright crawl path that does not trigger a download is unaffected.
Impact
Arbitrary file write with attacker-controlled content as the user running the crawler, escalating to remote code execution.
Fix
Both sinks now resolve the destination through a single hardened helper (_safe_download_filepath) that reduces the attacker-influenced name to a bare basename (dropping absolute paths and .. components) and re-checks, via realpath, that the resolved path stays inside the downloads root (defeating symlink/TOCTOU escapes). A traversal attempt is rejected; normal downloads are unchanged.
Workarounds
- Upgrade to the patched version (0.9.0).
- Run the crawler as an unprivileged user with a dedicated, isolated downloads directory on a volume with no sensitive paths writable.
- Enable authentication (
CRAWL4AI_API_TOKEN) on the Docker server.
Credits
Y4tacker - reported the Content-Disposition path traversal in the HTTP crawler with a clear PoC and a basename + realpath-containment fix recommendation.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.9"
},
"package": {
"ecosystem": "PyPI",
"name": "crawl4ai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T17:25:13Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\n\nWhen the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path (e.g. `/etc/cron.d/evil`) or `../` traversal escaped the downloads directory, giving an arbitrary file write with attacker-controlled contents. Because the written bytes are attacker-controlled, this escalates to remote code execution (overwriting a shell rc-file, `~/.ssh/authorized_keys`, a cron entry, or a Python module on the import path).\n\n### Affected paths\n\nTwo download sinks in `crawl4ai/async_crawler_strategy.py`:\n- HTTP crawler (`AsyncHTTPCrawlerStrategy`): the filename is parsed from the response `Content-Disposition` header by `_extract_filename()` and written via `aiofiles.open(filepath, \u0027wb\u0027)`. Reachable directly via the SDK, and via the unauthenticated Docker `/crawl` endpoint when an `HTTPCrawlerConfig` is supplied.\n- Browser crawler (`AsyncPlaywrightCrawlerStrategy`): the download\u0027s `suggested_filename` (controllable by the visited page) is joined to `downloads_path` and written via `download.save_as()`.\n\nThe HTTP-strategy sink is reachable pre-auth on the default Docker deployment; both are reachable for SDK users simply by crawling an attacker-controlled URL. The default Playwright crawl path that does not trigger a download is unaffected.\n\n### Impact\n\nArbitrary file write with attacker-controlled content as the user running the crawler, escalating to remote code execution.\n\n### Fix\n\nBoth sinks now resolve the destination through a single hardened helper (`_safe_download_filepath`) that reduces the attacker-influenced name to a bare basename (dropping absolute paths and `..` components) and re-checks, via `realpath`, that the resolved path stays inside the downloads root (defeating symlink/TOCTOU escapes). A traversal attempt is rejected; normal downloads are unchanged.\n\n### Workarounds\n\n- Upgrade to the patched version (0.9.0).\n- Run the crawler as an unprivileged user with a dedicated, isolated downloads directory on a volume with no sensitive paths writable.\n- Enable authentication (`CRAWL4AI_API_TOKEN`) on the Docker server.\n\n### Credits\n\nY4tacker - reported the Content-Disposition path traversal in the HTTP crawler with a clear PoC and a basename + realpath-containment fix recommendation.",
"id": "GHSA-2jq4-q6vv-4cp3",
"modified": "2026-06-18T17:25:13Z",
"published": "2026-06-18T17:25:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-2jq4-q6vv-4cp3"
},
{
"type": "PACKAGE",
"url": "https://github.com/unclecode/crawl4ai"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE"
}
GHSA-2M3G-FR55-VWFH
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148804.
{
"affected": [],
"aliases": [
"CVE-2018-1781"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-09T01:29:00Z",
"severity": "HIGH"
},
"details": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148804.",
"id": "GHSA-2m3g-fr55-vwfh",
"modified": "2022-05-13T01:32:41Z",
"published": "2022-05-13T01:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1781"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/148804"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10733939"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105885"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1042086"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2M3H-X8JM-FMWH
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-09 18:30Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-42989"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:15Z",
"severity": "HIGH"
},
"details": "Improper link resolution before file access (\u0027link following\u0027) in Winlogon allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-2m3h-x8jm-fmwh",
"modified": "2026-06-09T18:30:46Z",
"published": "2026-06-09T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42989"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42989"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2M9W-9XH2-WXC3
Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2023-05-24 14:25Jenkins Pipeline: Multibranch Plugin prior to 2.23.1, 2.26.1, 696.698.v9b4218eea50f, and 707.v71c3f0a_6ccdb_ follows symbolic links to locations outside of the checkout directory for the configured SCM when reading files using the readTrusted step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins.workflow:workflow-multibranch"
},
"ranges": [
{
"events": [
{
"introduced": "2.24"
},
{
"fixed": "2.26.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins.workflow:workflow-multibranch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.23.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins.workflow:workflow-multibranch"
},
"ranges": [
{
"events": [
{
"introduced": "696.v52535c46f4c9"
},
{
"fixed": "696.698.v9b4218eea50f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins.workflow:workflow-multibranch"
},
"ranges": [
{
"events": [
{
"introduced": "706.vd43c65dec013"
},
{
"fixed": "707.v71c3f0a"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25179"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-25T20:40:40Z",
"nvd_published_at": "2022-02-15T17:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Pipeline: Multibranch Plugin prior to 2.23.1, 2.26.1, 696.698.v9b4218eea50f, and 707.v71c3f0a_6ccdb_ follows symbolic links to locations outside of the checkout directory for the configured SCM when reading files using the readTrusted step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.",
"id": "GHSA-2m9w-9xh2-wxc3",
"modified": "2023-05-24T14:25:01Z",
"published": "2022-02-16T00:01:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25179"
},
{
"type": "WEB",
"url": "https://github.com/CVEProject/cvelist/blob/00bfb5abeecc9f553a2f42954ee540e493498ee9/2022/25xxx/CVE-2022-25179.json"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Link Following in Jenkins Pipeline Multibranch Plugin"
}
GHSA-2MM4-WMFR-3FFM
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow a local user to access and change the configuration of Db2 due to a race condition of a symbolic link,. IBM X-Force ID: 190909.
{
"affected": [],
"aliases": [
"CVE-2020-4885"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-24T19:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow a local user to access and change the configuration of Db2 due to a race condition of a symbolic link,. IBM X-Force ID: 190909.",
"id": "GHSA-2mm4-wmfr-3ffm",
"modified": "2022-05-24T19:06:14Z",
"published": "2022-05-24T19:06:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4885"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/190909"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210720-0006"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6466363"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2MV9-V6Q7-X773
Vulnerability from github – Published: 2026-04-15 15:31 – Updated: 2026-04-15 15:31During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges.
{
"affected": [],
"aliases": [
"CVE-2026-0827"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-15T13:16:23Z",
"severity": "MODERATE"
},
"details": "During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges.",
"id": "GHSA-2mv9-v6q7-x773",
"modified": "2026-04-15T15:31:42Z",
"published": "2026-04-15T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0827"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-210693"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2P49-45HJ-7MC9
Vulnerability from github – Published: 2026-01-21 22:40 – Updated: 2026-01-22 15:41Impact
The resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:
- Symlink chains: Creating
link1 → link2 → /outsidewhere intermediate symlinks eventually resolve outside the allowed directory - Dangling symlinks: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations
This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.
Patches
This vulnerability is fixed in @backstage/backend-plugin-api version 0.1.17. Users should upgrade to this version or later.
Workarounds
- Run Backstage in a containerised environment with limited filesystem access
- Restrict template creation to trusted users
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.16"
},
"package": {
"ecosystem": "npm",
"name": "@backstage/cli-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24047"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-21T22:40:51Z",
"nvd_published_at": "2026-01-21T23:15:53Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:\n\n1. **Symlink chains**: Creating `link1 \u2192 link2 \u2192 /outside` where intermediate symlinks eventually resolve outside the allowed directory\n2. **Dangling symlinks**: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations\n\nThis function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.\n\n### Patches\n\nThis vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later.\n\n### Workarounds\n\n- Run Backstage in a containerised environment with limited filesystem access\n- Restrict template creation to trusted users",
"id": "GHSA-2p49-45hj-7mc9",
"modified": "2026-01-22T15:41:11Z",
"published": "2026-01-21T22:40:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24047"
},
{
"type": "WEB",
"url": "https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692"
},
{
"type": "PACKAGE",
"url": "https://github.com/backstage/backstage"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass"
}
GHSA-2P5V-3F2J-GQ28
Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32G DATA Total Security Scan Server Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of G DATA Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the G DATA AntiVirus Scan Server. By creating a symbolic link, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23381.
{
"affected": [],
"aliases": [
"CVE-2024-30377"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T20:15:08Z",
"severity": "HIGH"
},
"details": "G DATA Total Security Scan Server Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of G DATA Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the G DATA AntiVirus Scan Server. By creating a symbolic link, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23381.",
"id": "GHSA-2p5v-3f2j-gq28",
"modified": "2024-11-22T21:32:16Z",
"published": "2024-11-22T21:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30377"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1159"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2PF3-GJP3-CX53
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-08-31 00:00By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitrary code through insecure use of predictable temporary file locations.
{
"affected": [],
"aliases": [
"CVE-2021-23892"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-367",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-12T09:15:00Z",
"severity": "HIGH"
},
"details": "By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitrary code through insecure use of predictable temporary file locations.",
"id": "GHSA-2pf3-gjp3-cx53",
"modified": "2022-08-31T00:00:18Z",
"published": "2022-05-24T19:02:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23892"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10355"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2PFR-2XMV-J9V4
Vulnerability from github – Published: 2022-09-20 00:00 – Updated: 2022-09-22 00:00A link following local privilege escalation vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service servers could allow a local attacker to abuse an insecure directory that could allow a low-privileged user to run arbitrary code with elevated privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-40143"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-19T18:15:00Z",
"severity": "HIGH"
},
"details": "A link following local privilege escalation vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service servers could allow a local attacker to abuse an insecure directory that could allow a low-privileged user to run arbitrary code with elevated privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-2pfr-2xmv-j9v4",
"modified": "2022-09-22T00:00:31Z",
"published": "2022-09-20T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40143"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000291528"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.