Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1987 vulnerabilities reference this CWE, most recent first.

GHSA-QGFR-5HQP-VRW9

Vulnerability from github – Published: 2020-09-03 21:16 – Updated: 2023-04-18 14:49
VLAI
Summary
Path Traversal in decompress
Details

Versions of decompress prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing../.

Recommendation

Upgrade to version 4.2.1 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "decompress"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-12265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:51:16Z",
    "nvd_published_at": "2020-04-26T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Versions of `decompress` prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing`../`.\n\n\n## Recommendation\n\nUpgrade to version 4.2.1 or later.",
  "id": "GHSA-qgfr-5hqp-vrw9",
  "modified": "2023-04-18T14:49:55Z",
  "published": "2020-09-03T21:16:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12265"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kevva/decompress/issues/71"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kevva/decompress/pull/73"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kevva/decompress/commit/967146e70f48be32ed1a69daa3941d681944d513"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kevva/decompress"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Path Traversal in decompress"
}

GHSA-QGQR-XGPP-PCG3

Vulnerability from github – Published: 2022-05-17 02:19 – Updated: 2025-04-09 03:59
VLAI
Details

Unspecified vulnerability in Opera before 9.60 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a redirect that specifies a crafted URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-4694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-10-23T22:00:00Z",
    "severity": "HIGH"
  },
  "details": "Unspecified vulnerability in Opera before 9.60 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a redirect that specifies a crafted URL.",
  "id": "GHSA-qgqr-xgpp-pcg3",
  "modified": "2025-04-09T03:59:57Z",
  "published": "2022-05-17T02:19:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4694"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45722"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32177"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32394"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32538"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200811-01.xml"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1021016"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/21/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/22/5"
    },
    {
      "type": "WEB",
      "url": "http://www.opera.com/docs/changelogs/freebsd/960"
    },
    {
      "type": "WEB",
      "url": "http://www.opera.com/docs/changelogs/linux/960"
    },
    {
      "type": "WEB",
      "url": "http://www.opera.com/docs/changelogs/mac/960"
    },
    {
      "type": "WEB",
      "url": "http://www.opera.com/docs/changelogs/solaris/960"
    },
    {
      "type": "WEB",
      "url": "http://www.opera.com/docs/changelogs/windows/960"
    },
    {
      "type": "WEB",
      "url": "http://www.opera.com/support/search/view/901"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/31631"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2765"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QGRX-JQWH-WCX9

Vulnerability from github – Published: 2022-01-12 00:01 – Updated: 2024-11-14 21:31
VLAI
Details

Windows Cleanup Manager Elevation of Privilege Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-11T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Windows Cleanup Manager Elevation of Privilege Vulnerability.",
  "id": "GHSA-qgrx-jqwh-wcx9",
  "modified": "2024-11-14T21:31:43Z",
  "published": "2022-01-12T00:01:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21838"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21838"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21838"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-049"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QH3G-27JF-3J54

Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2024-01-16 21:28
VLAI
Summary
Puppet allows local users to modify the permissions of arbitrary files
Details

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puppet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puppet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2011-3870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-16T21:28:46Z",
    "nvd_published_at": "2011-10-27T20:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.",
  "id": "GHSA-qh3g-27jf-3j54",
  "modified": "2024-01-16T21:28:46Z",
  "published": "2022-05-14T00:56:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3870"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puppetlabs/puppet/commit/88512e880bd2a03694b5fef42540dc7b3da05d30"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puppetlabs/puppet/commit/b29b1785d543a3cea961fffa9b3c15f14ab7cce0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/puppetlabs/puppet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2011-3870.yml"
    },
    {
      "type": "WEB",
      "url": "https://puppet.com/security/cve/cve-2011-3870"
    },
    {
      "type": "WEB",
      "url": "http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2011/dsa-2314"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1223-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1223-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Puppet allows local users to modify the permissions of arbitrary files"
}

GHSA-QHFC-5XCH-PG48

Vulnerability from github – Published: 2022-05-02 06:12 – Updated: 2022-05-02 06:12
VLAI
Details

The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2) Vixie cron (vixie-cron) allows local users to change the modification times of arbitrary files, and consequently cause a denial of service, via a symlink attack on a temporary file in the /tmp directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-0424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-02-25T19:30:00Z",
    "severity": "LOW"
  },
  "details": "The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2) Vixie cron (vixie-cron) allows local users to change the modification times of arbitrary files, and consequently cause a denial of service, via a symlink attack on a temporary file in the /tmp directory.",
  "id": "GHSA-qhfc-5xch-pg48",
  "modified": "2022-05-02T06:12:38Z",
  "published": "2022-05-02T06:12:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0424"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=565809"
    },
    {
      "type": "WEB",
      "url": "http://git.fedorahosted.org/git/cronie.git?p=cronie.git%3Ba=commit%3Bh=9e4a8fa5f9171fb724981f53879c9b20264aeb61"
    },
    {
      "type": "WEB",
      "url": "http://git.fedorahosted.org/git/cronie.git?p=cronie.git;a=commit;h=9e4a8fa5f9171fb724981f53879c9b20264aeb61"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035762.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/38700"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/38741"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48104"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/38391"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QHPV-F2H3-4MH8

Vulnerability from github – Published: 2022-05-17 01:07 – Updated: 2022-05-17 01:07
VLAI
Details

Argument injection vulnerability in devscripts before 2.15.7 allows remote attackers to write to arbitrary files via a crafted symlink and crafted filename.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-5705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-06T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Argument injection vulnerability in devscripts before 2.15.7 allows remote attackers to write to arbitrary files via a crafted symlink and crafted filename.",
  "id": "GHSA-qhpv-f2h3-4mh8",
  "modified": "2022-05-17T01:07:23Z",
  "published": "2022-05-17T01:07:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5705"
    },
    {
      "type": "WEB",
      "url": "https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=d8f8fa1d8e4151fa62997cb74403f97ab0d7e1a2"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1249645"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163705.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163710.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/08/01/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJ42-4Q8C-3R9V

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

There is an information leak vulnerability in the digital media player (DMS) of ZTE's residential gateway product. The attacker could insert the USB disk with the symbolic link into the residential gateway, and access unauthorized directory information through the symbolic link, causing information leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-09T16:15:00Z",
    "severity": "LOW"
  },
  "details": "There is an information leak vulnerability in the digital media player (DMS) of ZTE\u0027s residential gateway product. The attacker could insert the USB disk with the symbolic link into the residential gateway, and access unauthorized directory information through the symbolic link, causing information leak.",
  "id": "GHSA-qj42-4q8c-3r9v",
  "modified": "2022-05-24T19:10:26Z",
  "published": "2022-05-24T19:10:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21740"
    },
    {
      "type": "WEB",
      "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1017244"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QJ96-83MW-F2RW

Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-02 19:00
VLAI
Details

This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted DMG file may lead to arbitrary code execution with system privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-01T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted DMG file may lead to arbitrary code execution with system privileges.",
  "id": "GHSA-qj96-83mw-f2rw",
  "modified": "2022-11-02T19:00:23Z",
  "published": "2022-11-02T12:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32905"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213488"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJC9-F8HG-MV2P

Vulnerability from github – Published: 2025-12-02 21:31 – Updated: 2025-12-02 21:31
VLAI
Details

JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITY\SYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged create, write, execute, and delete actions on predictable files inside a user-writable %TEMP% subdirectory without validating that the directory is trusted or resetting its ACLs when it already exists. A local, low-privileged attacker can pre-create the directory with weak permissions and leverage mount-point or symbolic-link redirection to (a) coerce arbitrary file writes to protected locations, leading to denial of service (e.g., by overwriting sensitive system files), or (b) win a race to redirect DeleteFileW() to attacker-chosen targets, enabling arbitrary file or folder deletion and local privilege escalation to SYSTEM. This issue is fixed in JumpCloud Remote Assist 0.317.0 and affects Windows systems where Remote Assist is installed and managed through the Agent lifecycle.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-02T19:15:49Z",
    "severity": "HIGH"
  },
  "details": "JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITY\\SYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged create, write, execute, and delete actions on predictable files inside a user-writable %TEMP% subdirectory without validating that the directory is trusted or resetting its ACLs when it already exists. A local, low-privileged attacker can pre-create the directory with weak permissions and leverage mount-point or symbolic-link redirection to (a) coerce arbitrary file writes to protected locations, leading to denial of service (e.g., by overwriting sensitive system files), or (b) win a race to redirect DeleteFileW() to attacker-chosen targets, enabling arbitrary file or folder deletion and local privilege escalation to SYSTEM. This issue is fixed in JumpCloud Remote Assist 0.317.0 and affects Windows systems where Remote Assist is installed and managed through the Agent lifecycle.",
  "id": "GHSA-qjc9-f8hg-mv2p",
  "modified": "2025-12-02T21:31:29Z",
  "published": "2025-12-02T21:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34352"
    },
    {
      "type": "WEB",
      "url": "https://jumpcloud.com/platform/remote-assistance"
    },
    {
      "type": "WEB",
      "url": "https://jumpcloud.com/support/list-of-jumpcloud-agent-release-notes"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/jumpcloud-remote-assist-arbitrary-file-write-delete-via-insecure-temp-directory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QJQ3-WQJ5-G37Q

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-07-01 19:26
VLAI
Summary
Jenkins Pipeline: Groovy Libraries Plugin does not prohibit symbolic links in shared libraries
Details

Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries.

This allows attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

Pipeline: Groovy Libraries Plugin 798.v5cc688825312 prohibits symbolic links in shared libraries.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins.plugins:pipeline-groovy-lib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "798.v5cc688825312"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T19:26:57Z",
    "nvd_published_at": "2026-05-27T15:16:31Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries.\n\nThis allows attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.\n\nPipeline: Groovy Libraries Plugin 798.v5cc688825312 prohibits symbolic links in shared libraries.",
  "id": "GHSA-qjq3-wqj5-g37q",
  "modified": "2026-07-01T19:26:57Z",
  "published": "2026-05-27T15:33:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48921"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3727"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Pipeline: Groovy Libraries Plugin does not prohibit symbolic links in shared libraries"
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.