Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1992 vulnerabilities reference this CWE, most recent first.

GHSA-2W8H-HCH2-V23H

Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2024-10-29 15:32
VLAI
Details

mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a 'tarslip' attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T13:15:08Z",
    "severity": "HIGH"
  },
  "details": "mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a \u0027tarslip\u0027 attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server.",
  "id": "GHSA-2w8h-hch2-v23h",
  "modified": "2024-10-29T15:32:05Z",
  "published": "2024-10-29T15:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6868"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mudler/localai/commit/a181dd0ebc5d3092fc50f61674d552604fe8ef9c"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/752d2376-2d9a-4e17-b462-3c267f9dd229"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2WH2-4QXG-W52C

Vulnerability from github – Published: 2022-05-14 03:57 – Updated: 2022-05-14 03:57
VLAI
Details

The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-3108"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-08T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.",
  "id": "GHSA-2wh2-4qxg-w52c",
  "modified": "2022-05-14T03:57:46Z",
  "published": "2022-05-14T03:57:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3108"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pulp/pulp/pull/2528"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2016:1501"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2016-3108"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/attachment.cgi?id=1146475"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1325934"
    },
    {
      "type": "WEB",
      "url": "https://pulp.plan.io/issues/1830"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/05/20/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2X93-PF6J-8C9X

Vulnerability from github – Published: 2026-04-23 21:31 – Updated: 2026-04-23 21:31
VLAI
Details

radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-23T21:16:06Z",
    "severity": "MODERATE"
  },
  "details": "radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.",
  "id": "GHSA-2x93-pf6j-8c9x",
  "modified": "2026-04-23T21:31:24Z",
  "published": "2026-04-23T21:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6941"
    },
    {
      "type": "WEB",
      "url": "https://github.com/radareorg/radare2/pull/25831"
    },
    {
      "type": "WEB",
      "url": "https://github.com/radareorg/radare2/commit/4bcdee725ff0754ed721a98789c0af371c5f32a4"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/radare2-project-notes-path-traversal-via-symlink"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2X9H-7774-VHG2

Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2024-04-04 02:50
VLAI
Details

Avira Antivirus before 5.0.2003.1821 on Windows allows privilege escalation or a denial of service via abuse of a symlink.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-26T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Avira Antivirus before 5.0.2003.1821 on Windows allows privilege escalation or a denial of service via abuse of a symlink.",
  "id": "GHSA-2x9h-7774-vhg2",
  "modified": "2024-04-04T02:50:16Z",
  "published": "2022-05-24T17:16:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12254"
    },
    {
      "type": "WEB",
      "url": "https://support.avira.com/hc/en-us/articles/360000109798-Avira-Antivirus-for-Windows"
    },
    {
      "type": "WEB",
      "url": "http://web.archive.org/web/20200429193852/https://support.avira.com/hc/en-us/articles/360000109798-Avira-Antivirus-for-Windows"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XGV-6QHC-WPXF

Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18
VLAI
Details

vdrleaktest in Video Disk Recorder (aka vdr-dbg or vdr) 1.6.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/memleaktest.log temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-4985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-06T15:55:00Z",
    "severity": "MODERATE"
  },
  "details": "vdrleaktest in Video Disk Recorder (aka vdr-dbg or vdr) 1.6.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/memleaktest.log temporary file.",
  "id": "GHSA-2xgv-6qhc-wpxf",
  "modified": "2022-05-17T02:18:27Z",
  "published": "2022-05-17T02:18:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4985"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/show_bug.cgi?id=235827"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44880"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/496421"
    },
    {
      "type": "WEB",
      "url": "http://dev.gentoo.org/~rbu/security/debiantemp/vdr-dbg"
    },
    {
      "type": "WEB",
      "url": "http://uvw.ru/report.lenny.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-329C-JRV3-6H96

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2023-02-24 00:30
VLAI
Details

IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in oninit mongohash. IBM X-Force ID: 144431.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1631"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-20T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a local user logged in with database administrator user to gain root privileges through a symbolic link vulnerability in oninit mongohash. IBM X-Force ID: 144431.",
  "id": "GHSA-329c-jrv3-6h96",
  "modified": "2023-02-24T00:30:16Z",
  "published": "2022-05-24T16:54:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1631"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/144431"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190903-0002"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ibm10964987"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32P2-RGHV-W56X

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:18
VLAI
Details

In Avast Antivirus before 19.4, a local administrator can trick the product into renaming arbitrary files by replacing the Logs\Update.log file with a symlink. The next time the product attempts to write to the log file, the target of the symlink is renamed. This defect can be exploited to rename a critical product file (e.g., AvastSvc.exe), causing the product to fail to start on the next system restart.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11230"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-18T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Avast Antivirus before 19.4, a local administrator can trick the product into renaming arbitrary files by replacing the Logs\\Update.log file with a symlink. The next time the product attempts to write to the log file, the target of the symlink is renamed. This defect can be exploited to rename a critical product file (e.g., AvastSvc.exe), causing the product to fail to start on the next system restart.",
  "id": "GHSA-32p2-rghv-w56x",
  "modified": "2024-04-04T01:18:34Z",
  "published": "2022-05-24T16:50:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11230"
    },
    {
      "type": "WEB",
      "url": "http://www.mcerlane.co.uk/CVE-2019-11230"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/109344"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32R7-MGWG-67WQ

Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2022-07-23 00:00
VLAI
Details

AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own %APPDATA% folder (used for ad.trace and chat) but the product runs as SYSTEM when writing chat-room data there.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-18T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own %APPDATA% folder (used for ad.trace and chat) but the product runs as SYSTEM when writing chat-room data there.",
  "id": "GHSA-32r7-mgwg-67wq",
  "modified": "2022-07-23T00:00:23Z",
  "published": "2022-07-19T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32450"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2022/Jun/44"
    },
    {
      "type": "WEB",
      "url": "http://anydesk.com"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167608/AnyDesk-7.0.9-Arbitrary-File-Write-Denial-Of-Service.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Jul/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-33PM-33CG-5576

Vulnerability from github – Published: 2026-05-20 15:35 – Updated: 2026-05-20 15:35
VLAI
Details

Improper link resolution before file access ('link following') in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-20T13:16:34Z",
    "severity": "HIGH"
  },
  "details": "Improper link resolution before file access (\u0027link following\u0027) in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-33pm-33cg-5576",
  "modified": "2026-05-20T15:35:32Z",
  "published": "2026-05-20T15:35:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42834"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42834"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-33W2-PRHC-2Q89

Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2022-10-07 18:15
VLAI
Details

Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-22T22:15:00Z",
    "severity": "LOW"
  },
  "details": "Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport\u0027s lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.",
  "id": "GHSA-33w2-prhc-2q89",
  "modified": "2022-10-07T18:15:44Z",
  "published": "2022-05-24T17:16:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8831"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.net/bugs/1862348"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4315-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4315-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.