Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1988 vulnerabilities reference this CWE, most recent first.

GHSA-57X5-VVHV-RVXM

Vulnerability from github – Published: 2022-05-17 04:37 – Updated: 2022-05-17 04:37
VLAI
Details

The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary file via an attack on the sensor-settings file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-6124"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-08-31T10:55:00Z",
    "severity": "LOW"
  },
  "details": "The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary file via an attack on the sensor-settings file.",
  "id": "GHSA-57x5-vvhv-rvxm",
  "modified": "2022-05-17T04:37:59Z",
  "published": "2022-05-17T04:37:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6124"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/projects/security-advisories/insecure-owner-permission-changes-init-shell-scripts-cve-2013-6124"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5848-87GF-WVQV

Vulnerability from github – Published: 2022-05-14 02:40 – Updated: 2022-05-14 02:40
VLAI
Details

/bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-12-09T00:30:00Z",
    "severity": "HIGH"
  },
  "details": "/bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.",
  "id": "GHSA-5848-87gf-wvqv",
  "modified": "2022-05-14T02:40:14Z",
  "published": "2022-05-14T02:40:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5394"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47037"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/7313"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/332198"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/505071"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/505271"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/52200"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200903-24.xml"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/4695"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:062"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/498769/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32552"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/usn-695-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5888-494V-35JQ

Vulnerability from github – Published: 2022-04-30 18:22 – Updated: 2024-01-25 21:32
VLAI
Details

Sun PC NetLink 1.0 through 1.2 does not properly set the access control list (ACL) for files and directories that use symbolic links and have been restored from backup, which could allow local or remote attackers to bypass intended access restrictions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2002-2323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2002-12-31T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Sun PC NetLink 1.0 through 1.2 does not properly set the access control list (ACL) for files and directories that use symbolic links and have been restored from backup, which could allow local or remote attackers to bypass intended access restrictions.",
  "id": "GHSA-5888-494v-35jq",
  "modified": "2024-01-25T21:32:09Z",
  "published": "2022-04-30T18:22:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-2323"
    },
    {
      "type": "WEB",
      "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-27807-1"
    },
    {
      "type": "WEB",
      "url": "http://www.iss.net/security_center/static/9665.php"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/5281"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58P9-FWRR-259C

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46
VLAI
Details

VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm&user=admin&code= URI. This occurs because chmod is used unsafely.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-08T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm\u0026user=admin\u0026code= URI. This occurs because chmod is used unsafely.",
  "id": "GHSA-58p9-fwrr-259c",
  "modified": "2022-05-24T17:46:55Z",
  "published": "2022-05-24T17:46:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30463"
    },
    {
      "type": "WEB",
      "url": "https://ssd-disclosure.com/ssd-advisory-vestacp-lpe-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-58PW-R2V4-PWJV

Vulnerability from github – Published: 2025-08-08 21:30 – Updated: 2025-11-05 00:31
VLAI
Details

7-Zip before 25.01 does not always properly handle symbolic links during extraction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-08T21:15:25Z",
    "severity": "LOW"
  },
  "details": "7-Zip before 25.01 does not always properly handle symbolic links during extraction.",
  "id": "GHSA-58pw-r2v4-pwjv",
  "modified": "2025-11-05T00:31:24Z",
  "published": "2025-08-08T21:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55188"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ip7z/7zip/compare/25.00...25.01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ip7z/7zip/releases/tag/25.01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunbun/CVE-2025-55188"
    },
    {
      "type": "WEB",
      "url": "https://lunbun.dev/blog/cve-2025-55188"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/sevenzip/discussion/45797/thread/da14cd780b"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2025/08/09/1"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-55188-detect-7-zip-vulnerable-version"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-55188-mitigate-7-zip-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://youtu.be/sWT6M1cfnwM"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/09/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/10/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/13/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/12/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/16/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58V9-JF45-V492

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2024-04-04 03:04
VLAI
Details

Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-16T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.",
  "id": "GHSA-58v9-jf45-v492",
  "modified": "2024-04-04T03:04:36Z",
  "published": "2022-05-24T17:42:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mumble-voip/mumble/pull/4733"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mumble-voip/mumble/compare/1.3.3...1.3.4"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202105-13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58XF-QF7H-M4M6

Vulnerability from github – Published: 2022-05-17 05:53 – Updated: 2022-05-17 05:53
VLAI
Details

nvidia-cg-toolkit-installer in nvidia-cg-toolkit 2.0.0015 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/nvidia-cg-toolkit-manifest temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5144"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-18T16:00:00Z",
    "severity": "MODERATE"
  },
  "details": "nvidia-cg-toolkit-installer in nvidia-cg-toolkit 2.0.0015 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/nvidia-cg-toolkit-manifest temporary file.",
  "id": "GHSA-58xf-qf7h-m4m6",
  "modified": "2022-05-17T05:53:08Z",
  "published": "2022-05-17T05:53:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5144"
    },
    {
      "type": "WEB",
      "url": "http://lists.debian.org/debian-devel/2008/08/msg00285.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5977-VHPG-P3HQ

Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31
VLAI
Details

Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T17:15:50Z",
    "severity": "HIGH"
  },
  "details": "Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability",
  "id": "GHSA-5977-vhpg-p3hq",
  "modified": "2024-05-14T18:31:03Z",
  "published": "2024-05-14T18:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26238"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26238"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-597G-3PHW-6986

Vulnerability from github – Published: 2026-01-13 18:45 – Updated: 2026-01-13 18:45
VLAI
Summary
virtualenv Has TOCTOU Vulnerabilities in Directory Creation
Details

Impact

TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations.

Affected versions: All versions up to and including 20.36.1

Affected users: Any user running virtualenv on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where VIRTUALENV_OVERRIDE_APP_DATA points to a user-writable location.

Attack scenarios: - Cache poisoning: Attacker corrupts wheels or Python metadata in the cache - Information disclosure: Attacker reads sensitive cached data or metadata - Lock bypass: Attacker controls lock file semantics to cause concurrent access violations - Denial of service: Lock starvation preventing virtualenv operations

Patches

The vulnerability has been patched by replacing check-then-act patterns with atomic os.makedirs(..., exist_ok=True) operations.

Fixed in: PR #3013

Versions with the fix: 20.36.2 and later

Users should upgrade to version 20.36.2 or later.

Workarounds

If you cannot upgrade immediately:

  1. Ensure VIRTUALENV_OVERRIDE_APP_DATA points to a directory owned by the current user with restricted permissions (mode 0700)
  2. Avoid running virtualenv in shared temporary directories where other users have write access
  3. Use separate user accounts for different projects to isolate app_data directories

References

  • GitHub PR: https://github.com/pypa/virtualenv/pull/3013
  • Vulnerability reported by: @tsigouris007
  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)
  • CWE-59: Improper Link Resolution Before File Access
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "virtualenv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.36.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T18:45:57Z",
    "nvd_published_at": "2026-01-10T07:16:02Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nTOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv\u0027s app_data and lock file operations to attacker-controlled locations.\n\n**Affected versions:** All versions up to and including 20.36.1\n\n**Affected users:** Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location.\n\n**Attack scenarios:**\n- Cache poisoning: Attacker corrupts wheels or Python metadata in the cache\n- Information disclosure: Attacker reads sensitive cached data or metadata\n- Lock bypass: Attacker controls lock file semantics to cause concurrent access violations\n- Denial of service: Lock starvation preventing virtualenv operations\n\n## Patches\n\nThe vulnerability has been patched by replacing check-then-act patterns with atomic `os.makedirs(..., exist_ok=True)` operations.\n\n**Fixed in:** PR #3013\n\n**Versions with the fix:** 20.36.2 and later\n\nUsers should upgrade to version 20.36.2 or later.\n\n## Workarounds\n\nIf you cannot upgrade immediately:\n\n1. Ensure `VIRTUALENV_OVERRIDE_APP_DATA` points to a directory owned by the current user with restricted permissions (mode 0700)\n2. Avoid running `virtualenv` in shared temporary directories where other users have write access\n3. Use separate user accounts for different projects to isolate app_data directories\n\n## References\n\n- GitHub PR: https://github.com/pypa/virtualenv/pull/3013\n- Vulnerability reported by: @tsigouris007\n- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)\n- CWE-59: Improper Link Resolution Before File Access",
  "id": "GHSA-597g-3phw-6986",
  "modified": "2026-01-13T18:45:57Z",
  "published": "2026-01-13T18:45:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22702"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/virtualenv/pull/3013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pypa/virtualenv"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "virtualenv Has TOCTOU Vulnerabilities in Directory Creation"
}

GHSA-599W-RMP9-P3VV

Vulnerability from github – Published: 2022-07-07 00:00 – Updated: 2022-07-15 00:00
VLAI
Details

In sound driver, there is a possible information disclosure due to symlink following. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06558663; Issue ID: ALPS06558663.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-06T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In sound driver, there is a possible information disclosure due to symlink following. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06558663; Issue ID: ALPS06558663.",
  "id": "GHSA-599w-rmp9-p3vv",
  "modified": "2022-07-15T00:00:23Z",
  "published": "2022-07-07T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21770"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/July-2022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.