CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1987 vulnerabilities reference this CWE, most recent first.
GHSA-RP9W-778V-4H8M
Vulnerability from github – Published: 2026-05-13 21:32 – Updated: 2026-05-14 18:32The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the web server follows the supplied links when serving content. No mechanisms to restrict those link targets to a specific area of the filesystem is enabled. This allows an attacker to retrieve arbitrary files from the device.
{
"affected": [],
"aliases": [
"CVE-2025-27850"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T21:16:41Z",
"severity": "HIGH"
},
"details": "The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the web server follows the supplied links when serving content. No mechanisms to restrict those link targets to a specific area of the filesystem is enabled. This allows an attacker to retrieve arbitrary files from the device.",
"id": "GHSA-rp9w-778v-4h8m",
"modified": "2026-05-14T18:32:52Z",
"published": "2026-05-13T21:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27850"
},
{
"type": "WEB",
"url": "https://garmin.com"
},
{
"type": "WEB",
"url": "https://www8.garmin.com/support/ch.jsp?product=010-02642-00"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RPGH-5P2M-VXQX
Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2022-05-24 17:13A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.
{
"affected": [],
"aliases": [
"CVE-2020-8015"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-02T08:15:00Z",
"severity": "HIGH"
},
"details": "A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.",
"id": "GHSA-rpgh-5p2m-vxqx",
"modified": "2022-05-24T17:13:19Z",
"published": "2022-05-24T17:13:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8015"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1154183"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00010.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RPGQ-M5FP-32WR
Vulnerability from github – Published: 2026-05-14 16:23 – Updated: 2026-06-09 10:25Summary
Portainer supports deploying stacks from Git repositories. When a Git-backed stack is created or updated, Portainer clones the repository using go-git v5, which translates Git blob entries with mode 0o120000 (symlink) into real OS symlinks on the host filesystem via os.Symlink. The only entry blocked from becoming a symlink is .gitmodules; every other path — including docker-compose.yml, which Portainer treats as the stack entry point — is created as a symlink without validation.
Portainer's GET /api/stacks/{id}/file endpoint then reads the stack entry point with os.ReadFile, which follows OS symlinks transparently. A repository containing docker-compose.yml as a symlink to an arbitrary filesystem path (for example /etc/passwd or a mounted Kubernetes service account token) causes the symlink target's contents to be returned verbatim in the HTTP response. Any authenticated user with rights to create or update a Git-backed stack — the default configuration in Portainer CE — can read arbitrary files accessible to the Portainer process.
The issue is amplified by Git-stack auto-update: an attacker can create a stack from a legitimate repository, pass initial review, and later push a commit that replaces docker-compose.yml with a symlink; the file read is then triggered on the next scheduled update cycle with no further interaction required.
Severity
High
Attack complexity is Low: the attacker needs only the ability to host a Git repository and the default-granted permission to create a Git-backed stack. Privilege required is Low in typical CE deployments, where non-admin users can manage their own stacks; administrators retain the same attack surface regardless of the setting. Impact on confidentiality is High — the Portainer process commonly runs as root (required for Docker socket access), so arbitrary file read includes /etc/shadow, Kubernetes service account tokens, Docker secrets, environment variables, and the Portainer database itself. Integrity and availability are not directly affected, but the leaked contents (service account tokens, registry credentials, database session keys) frequently enable onward compromise of the host and managed environments.
Affected Versions
The vulnerability exists in every Portainer release since the introduction of Git-based stack deployment support — Git-backed stacks have always performed an unrestricted go-git checkout and subsequently read the entry-point file through os.ReadFile without resolving symlinks.
Fixes are included in the following releases:
| Branch | First vulnerable | Fixed in |
|---|---|---|
| 2.33.x (LTS) | 2.33.0 | 2.33.8 |
| 2.39.x (LTS) | 2.39.0 | 2.39.2 |
| 2.40.x (STS) | all prior | 2.41.0 |
Portainer releases prior to 2.33.0 are end-of-life and will not receive a fix. Users on EOL versions should upgrade to a supported LTS branch.
Workarounds
Administrators who cannot immediately upgrade can reduce exposure by:
- Restricting who can create Git-backed stacks. Disable Allow non-admin users to manage their stacks in environment settings so that only administrators can submit a Git repository URL. This reduces the attack to an administrator-only surface but does not remove it.
- Avoiding untrusted repositories. Do not deploy Git-backed stacks from repositories you do not control or review, and do not grant stack-management rights to users who can supply an arbitrary repository URL.
- Disabling auto-update on existing stacks. Auto-update re-clones the repository on a schedule, which allows a repository that was safe at creation time to later become malicious. Disabling auto-update removes the deferred-exploitation path.
- Auditing existing stack working directories. Search project paths under
/data/compose/(or your configured data directory) for symlink entries —find /data/compose -type l— and treat any unexpected results as potential evidence of past exploitation.
None of these replace the fix.
Affected Code
The vulnerability is the combination of two primitives. go-git translates Git symlink entries into OS symlinks unconditionally (except .gitmodules):
// go-git v5 — Worktree.checkoutFileSymlink
func (w *Worktree) checkoutFileSymlink(f *object.File) (err error) {
if strings.EqualFold(f.Name, gitmodulesFile) {
return ErrGitModulesSymlink
}
// ... reads blob content as raw bytes ...
err = w.Filesystem.Symlink(string(bytes), f.Name)
return
}
Relative symlink targets (../../etc/passwd) are passed through to os.Symlink as-is and escape the worktree at OS resolution time. (Absolute targets are chrooted to the worktree by go-billy's ChrootHelper.Symlink and are not useful to the attacker.)
On the read side, GetFileContent in api/filesystem/filesystem.go applies lexical path containment but not symlink resolution:
func (service *Service) GetFileContent(trustedRoot, filePath string) ([]byte, error) {
content, err := os.ReadFile(JoinPaths(trustedRoot, filePath))
return content, err
}
JoinPaths prevents ../ traversal in the input string but does not call filepath.EvalSymlinks, so a symlink already written to the project path resolves through os.ReadFile to its ultimate target.
The fix wraps the go-billy filesystem used by the Git checkout with a custom noSymlinkFS type whose Symlink() method returns ErrSymlinkDetected, causing the clone to fail rather than write any OS symlink. Git trees that would otherwise produce a symlink entry are rejected at checkout time, closing the primary attack path. On the 2.33.x and 2.39.x branches the fix also hardens GetFileContent to call filepath.EvalSymlinks and verify the resolved path remains inside the trusted root, providing a second layer of defence against any future regression in Git-checkout handling.
Impact
- Arbitrary file read as the Portainer process. Any file readable by the Portainer process — typically root in containerized deployments — can be returned through the stack file endpoint. Common targets include
/etc/shadow,/root/.ssh/*,/proc/self/environ, and the Portainer BoltDB (portainer.db) which contains all user password hashes, API tokens, and agent credentials. - Kubernetes service account token exposure. Portainer running on Kubernetes has its cluster service account token mounted at
/var/run/secrets/kubernetes.io/serviceaccount/token; reading it grants the attacker the Portainer pod's cluster API access. - Docker Swarm secret exposure. Secrets mounted into the Portainer container at
/run/secrets/(for example the initial admin password in Swarm deployments) are readable with the same mechanism. - Onward compromise. Leaked service tokens, registry credentials, and database contents frequently enable authenticated access to managed Docker/Kubernetes environments, container registries, and Portainer itself under other users' identities.
- Deferred exploitation via auto-update. A repository that passes initial review at stack creation can be mutated afterwards; the malicious commit takes effect on the next auto-update cycle without user interaction.
Timeline
- 2026-03-20: Reported via GitHub Security Advisory by b-hermes.
- 2026-04-18: Fix merged to
develop. - 2026-04-29: 2.41.0 released with fix.
- 2026-05-07: 2.33.8, 2.39.2, released with fix.
Credit
- b-hermes — identified the Git symlink injection primitive, traced the end-to-end chain through
GetFileContent, and provided a fully validated proof-of-concept.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/portainer/portainer"
},
"ranges": [
{
"events": [
{
"introduced": "2.33.0"
},
{
"fixed": "2.33.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/portainer/portainer"
},
"ranges": [
{
"events": [
{
"introduced": "2.39.0"
},
{
"fixed": "2.39.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/portainer/portainer"
},
"ranges": [
{
"events": [
{
"introduced": "2.40.0"
},
{
"fixed": "2.41.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44881"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T16:23:56Z",
"nvd_published_at": "2026-05-28T22:16:59Z",
"severity": "HIGH"
},
"details": "## Summary\nPortainer supports deploying stacks from Git repositories. When a Git-backed stack is created or updated, Portainer clones the repository using `go-git` v5, which translates Git blob entries with mode `0o120000` (symlink) into real OS symlinks on the host filesystem via `os.Symlink`. The only entry blocked from becoming a symlink is `.gitmodules`; every other path \u2014 including `docker-compose.yml`, which Portainer treats as the stack entry point \u2014 is created as a symlink without validation.\n\nPortainer\u0027s `GET /api/stacks/{id}/file` endpoint then reads the stack entry point with `os.ReadFile`, which follows OS symlinks transparently. A repository containing `docker-compose.yml` as a symlink to an arbitrary filesystem path (for example `/etc/passwd` or a mounted Kubernetes service account token) causes the symlink target\u0027s contents to be returned verbatim in the HTTP response. Any authenticated user with rights to create or update a Git-backed stack \u2014 the default configuration in Portainer CE \u2014 can read arbitrary files accessible to the Portainer process.\n\nThe issue is amplified by Git-stack auto-update: an attacker can create a stack from a legitimate repository, pass initial review, and later push a commit that replaces `docker-compose.yml` with a symlink; the file read is then triggered on the next scheduled update cycle with no further interaction required.\n\n## Severity\n**High**\n\nAttack complexity is Low: the attacker needs only the ability to host a Git repository and the default-granted permission to create a Git-backed stack. Privilege required is Low in typical CE deployments, where non-admin users can manage their own stacks; administrators retain the same attack surface regardless of the setting. Impact on confidentiality is High \u2014 the Portainer process commonly runs as root (required for Docker socket access), so arbitrary file read includes `/etc/shadow`, Kubernetes service account tokens, Docker secrets, environment variables, and the Portainer database itself. Integrity and availability are not directly affected, but the leaked contents (service account tokens, registry credentials, database session keys) frequently enable onward compromise of the host and managed environments.\n\n## Affected Versions\nThe vulnerability exists in every Portainer release since the introduction of Git-based stack deployment support \u2014 Git-backed stacks have always performed an unrestricted `go-git` checkout and subsequently read the entry-point file through `os.ReadFile` without resolving symlinks.\n\nFixes are included in the following releases:\n\n| Branch | First vulnerable | Fixed in |\n|--------------|------------------|------------|\n| 2.33.x (LTS) | 2.33.0 | **2.33.8** |\n| 2.39.x (LTS) | 2.39.0 | **2.39.2** |\n| 2.40.x (STS) | all prior | **2.41.0** |\n\nPortainer releases prior to 2.33.0 are end-of-life and will not receive a fix. Users on EOL versions should upgrade to a supported LTS branch.\n\n## Workarounds\nAdministrators who cannot immediately upgrade can reduce exposure by:\n\n- **Restricting who can create Git-backed stacks.** Disable **Allow non-admin users to manage their stacks** in environment settings so that only administrators can submit a Git repository URL. This reduces the attack to an administrator-only surface but does not remove it.\n- **Avoiding untrusted repositories.** Do not deploy Git-backed stacks from repositories you do not control or review, and do not grant stack-management rights to users who can supply an arbitrary repository URL.\n- **Disabling auto-update on existing stacks.** Auto-update re-clones the repository on a schedule, which allows a repository that was safe at creation time to later become malicious. Disabling auto-update removes the deferred-exploitation path.\n- **Auditing existing stack working directories.** Search project paths under `/data/compose/` (or your configured data directory) for symlink entries \u2014 `find /data/compose -type l` \u2014 and treat any unexpected results as potential evidence of past exploitation.\n\nNone of these replace the fix.\n\n## Affected Code\nThe vulnerability is the combination of two primitives. `go-git` translates Git symlink entries into OS symlinks unconditionally (except `.gitmodules`):\n\n```go\n// go-git v5 \u2014 Worktree.checkoutFileSymlink\nfunc (w *Worktree) checkoutFileSymlink(f *object.File) (err error) {\n if strings.EqualFold(f.Name, gitmodulesFile) {\n return ErrGitModulesSymlink\n }\n // ... reads blob content as raw bytes ...\n err = w.Filesystem.Symlink(string(bytes), f.Name)\n return\n}\n```\n\nRelative symlink targets (`../../etc/passwd`) are passed through to `os.Symlink` as-is and escape the worktree at OS resolution time. (Absolute targets are chrooted to the worktree by `go-billy`\u0027s `ChrootHelper.Symlink` and are not useful to the attacker.)\n\nOn the read side, `GetFileContent` in `api/filesystem/filesystem.go` applies lexical path containment but not symlink resolution:\n\n```go\nfunc (service *Service) GetFileContent(trustedRoot, filePath string) ([]byte, error) {\n content, err := os.ReadFile(JoinPaths(trustedRoot, filePath))\n return content, err\n}\n```\n\n`JoinPaths` prevents `../` traversal in the input string but does not call `filepath.EvalSymlinks`, so a symlink already written to the project path resolves through `os.ReadFile` to its ultimate target.\n\nThe fix wraps the `go-billy` filesystem used by the Git checkout with a custom `noSymlinkFS` type whose `Symlink()` method returns `ErrSymlinkDetected`, causing the clone to fail rather than write any OS symlink. Git trees that would otherwise produce a symlink entry are rejected at checkout time, closing the primary attack path. On the 2.33.x and 2.39.x branches the fix also hardens `GetFileContent` to call `filepath.EvalSymlinks` and verify the resolved path remains inside the trusted root, providing a second layer of defence against any future regression in Git-checkout handling.\n\n## Impact\n- **Arbitrary file read as the Portainer process.** Any file readable by the Portainer process \u2014 typically root in containerized deployments \u2014 can be returned through the stack file endpoint. Common targets include `/etc/shadow`, `/root/.ssh/*`, `/proc/self/environ`, and the Portainer BoltDB (`portainer.db`) which contains all user password hashes, API tokens, and agent credentials.\n- **Kubernetes service account token exposure.** Portainer running on Kubernetes has its cluster service account token mounted at `/var/run/secrets/kubernetes.io/serviceaccount/token`; reading it grants the attacker the Portainer pod\u0027s cluster API access.\n- **Docker Swarm secret exposure.** Secrets mounted into the Portainer container at `/run/secrets/` (for example the initial admin password in Swarm deployments) are readable with the same mechanism.\n- **Onward compromise.** Leaked service tokens, registry credentials, and database contents frequently enable authenticated access to managed Docker/Kubernetes environments, container registries, and Portainer itself under other users\u0027 identities.\n- **Deferred exploitation via auto-update.** A repository that passes initial review at stack creation can be mutated afterwards; the malicious commit takes effect on the next auto-update cycle without user interaction.\n\n## Timeline\n- 2026-03-20: Reported via GitHub Security Advisory by **b-hermes**.\n- 2026-04-18: Fix merged to `develop`.\n- 2026-04-29: 2.41.0 released with fix.\n- 2026-05-07: 2.33.8, 2.39.2, released with fix.\n\n## Credit\n- **b-hermes** \u2014 identified the Git symlink injection primitive, traced the end-to-end chain through `GetFileContent`, and provided a fully validated proof-of-concept.",
"id": "GHSA-rpgq-m5fp-32wr",
"modified": "2026-06-09T10:25:20Z",
"published": "2026-05-14T16:23:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/security/advisories/GHSA-rpgq-m5fp-32wr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44881"
},
{
"type": "PACKAGE",
"url": "https://github.com/portainer/portainer"
},
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/releases/tag/2.33.8"
},
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/releases/tag/2.39.2"
},
{
"type": "WEB",
"url": "https://github.com/portainer/portainer/releases/tag/2.41.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update"
}
GHSA-RPQW-5G6J-X944
Vulnerability from github – Published: 2022-05-02 03:40 – Updated: 2022-05-02 03:40The postfix.postinst script in the Debian GNU/Linux and Ubuntu postfix 2.5.5 package grants the postfix user write access to /var/spool/postfix/pid, which might allow local users to conduct symlink attacks that overwrite arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2009-2939"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-09-21T19:30:00Z",
"severity": "MODERATE"
},
"details": "The postfix.postinst script in the Debian GNU/Linux and Ubuntu postfix 2.5.5 package grants the postfix user write access to /var/spool/postfix/pid, which might allow local users to conduct symlink attacks that overwrite arbitrary files.",
"id": "GHSA-rpqw-5g6j-x944",
"modified": "2022-05-02T03:40:08Z",
"published": "2022-05-02T03:40:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2939"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2011/dsa-2233"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/09/18/6"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RPQW-J963-73GH
Vulnerability from github – Published: 2026-04-15 18:31 – Updated: 2026-04-15 18:31A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device.
This vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device.
{
"affected": [],
"aliases": [
"CVE-2026-20161"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-15T17:17:03Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device.\n\nThis vulnerability is due to improper access controls on files that are on the local file system\u0026nbsp;of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device.",
"id": "GHSA-rpqw-j963-73gh",
"modified": "2026-04-15T18:31:58Z",
"published": "2026-04-15T18:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20161"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-agentfilewrite-tqUw3SMU"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RPW6-9XFX-JVCX
Vulnerability from github – Published: 2021-04-22 16:20 – Updated: 2025-10-22 18:00Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
:exclamation: Note:
There was an initial fix for this vulnerability made in version 1.4.12. That fix introduced a bug which was fixed in 1.4.13. Therefore we have set the first-patched-version to 1.4.13 which the earliest working version that avoids this vulnerability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.11"
},
"package": {
"ecosystem": "Packagist",
"name": "pear/archive_tar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36193"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-22T23:56:54Z",
"nvd_published_at": "2021-01-18T20:15:00Z",
"severity": "HIGH"
},
"details": "Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.\n\n### :exclamation: Note: \nThere was an [initial fix](https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916) for this vulnerability made in version `1.4.12`. That fix introduced a bug which was [fixed in 1.4.13](https://github.com/pear/Archive_Tar/pull/36). Therefore we have set the first-patched-version to `1.4.13` which the earliest working version that avoids this vulnerability.",
"id": "GHSA-rpw6-9xfx-jvcx",
"modified": "2025-10-22T18:00:26Z",
"published": "2021-04-22T16:20:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36193"
},
{
"type": "WEB",
"url": "https://github.com/pear/Archive_Tar/issues/35"
},
{
"type": "WEB",
"url": "https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2021-001"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4894"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-36193"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202101-23"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/pear/Archive_Tar"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2020-36193.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H",
"type": "CVSS_V3"
}
],
"summary": "Directory Traversal in Archive_Tar"
}
GHSA-RPWQ-XW4M-459X
Vulnerability from github – Published: 2023-01-17 03:30 – Updated: 2023-01-25 15:30A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, which processes symbolic links on external storage media. A local authenticated attacker with administrator privileges could abuse this vulnerability to access the root file system by creating a symbolic link on external storage media, such as a USB flash drive, and then logging into the FTP server on a vulnerable device.
{
"affected": [],
"aliases": [
"CVE-2022-45440"
],
"database_specific": {
"cwe_ids": [
"CWE-552",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-17T02:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, which processes symbolic links on external storage media. A local authenticated attacker with administrator privileges could abuse this vulnerability to access the root file system by creating a symbolic link on external storage media, such as a USB flash drive, and then logging into the FTP server on a vulnerable device.",
"id": "GHSA-rpwq-xw4m-459x",
"modified": "2023-01-25T15:30:59Z",
"published": "2023-01-17T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45440"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-cleartext-storage-of-wifi-credentials-and-improper-symbolic-links-of-ftp-for-ax7501-b0-cpe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RPXC-37CC-9WHW
Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30Microsoft Azure File Sync Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-35253"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T17:16:03Z",
"severity": "MODERATE"
},
"details": "Microsoft Azure File Sync Elevation of Privilege Vulnerability",
"id": "GHSA-rpxc-37cc-9whw",
"modified": "2024-06-11T18:30:50Z",
"published": "2024-06-11T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35253"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35253"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RPXR-RM37-GG4Q
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18dist 3.5 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/cil#####, (b) /tmp/pdo#####, and (c) /tmp/pdn##### temporary files, related to the (1) patcil and (2) patdiff scripts.
{
"affected": [],
"aliases": [
"CVE-2008-4949"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-05T15:00:00Z",
"severity": "MODERATE"
},
"details": "dist 3.5 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/cil#####, (b) /tmp/pdo#####, and (c) /tmp/pdn##### temporary files, related to the (1) patcil and (2) patdiff scripts.",
"id": "GHSA-rpxr-rm37-gg4q",
"modified": "2022-05-17T02:18:32Z",
"published": "2022-05-17T02:18:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4949"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44818"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496412"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/dist"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.lenny.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30908"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RQ4M-M5M7-PP6Q
Vulnerability from github – Published: 2022-05-14 01:17 – Updated: 2022-05-14 01:17An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "libarchive" component, which allows remote attackers to write to arbitrary files via a crafted archive containing a symlink.
{
"affected": [],
"aliases": [
"CVE-2016-4679"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-20T08:59:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the \"libarchive\" component, which allows remote attackers to write to arbitrary files via a crafted archive containing a symlink.",
"id": "GHSA-rq4m-m5m7-pp6q",
"modified": "2022-05-14T01:17:25Z",
"published": "2022-05-14T01:17:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4679"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207269"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207270"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207271"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207275"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93849"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037086"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.