CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1988 vulnerabilities reference this CWE, most recent first.
GHSA-5PV6-62PR-4GFR
Vulnerability from github – Published: 2022-05-14 03:47 – Updated: 2022-05-14 03:47(1) oo-analytics-export and (2) oo-analytics-import in the openshift-origin-broker-util package in Red Hat OpenShift Enterprise 1 and 2 allow local users to have unspecified impact via a symlink attack on an unspecified file in /tmp.
{
"affected": [],
"aliases": [
"CVE-2013-4364"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-08T19:29:00Z",
"severity": "HIGH"
},
"details": "(1) oo-analytics-export and (2) oo-analytics-import in the openshift-origin-broker-util package in Red Hat OpenShift Enterprise 1 and 2 allow local users to have unspecified impact via a symlink attack on an unspecified file in /tmp.",
"id": "GHSA-5pv6-62pr-4gfr",
"modified": "2022-05-14T03:47:22Z",
"published": "2022-05-14T03:47:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4364"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1009734"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5QGP-P5JC-W2RM
Vulnerability from github – Published: 2022-02-15 00:41 – Updated: 2021-05-20 21:03Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/docker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-6407"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T21:03:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.",
"id": "GHSA-5qgp-p5jc-w2rm",
"modified": "2021-05-20T21:03:55Z",
"published": "2022-02-15T00:41:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-6407"
},
{
"type": "WEB",
"url": "https://github.com/docker/docker/commit/3ac6394b8082d4700483d52fbfe54914be537d9e"
},
{
"type": "WEB",
"url": "https://docs.docker.com/v1.3/release-notes"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145154.html"
},
{
"type": "WEB",
"url": "https://lists.opensuse.org/opensuse-security-announce/2014-12/msg00009.html"
},
{
"type": "WEB",
"url": "https://secunia.com/advisories/60171"
},
{
"type": "WEB",
"url": "https://secunia.com/advisories/60241"
},
{
"type": "WEB",
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6407"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2014/11/24/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary Code Execution in Docker"
}
GHSA-5QJJ-372W-543M
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33Azure Monitor Agent Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-38097"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T18:15:06Z",
"severity": "HIGH"
},
"details": "Azure Monitor Agent Elevation of Privilege Vulnerability",
"id": "GHSA-5qjj-372w-543m",
"modified": "2024-10-08T18:33:14Z",
"published": "2024-10-08T18:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38097"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38097"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5R7F-6HMM-M99P
Vulnerability from github – Published: 2022-05-01 18:35 – Updated: 2022-05-01 18:35db2dasrrm in the DB2 Administration Server (DAS) in IBM DB2 Universal Database 9.5 before Fix Pack 1, 9.1 before Fix Pack 4a, and 8 before FixPak 16 allows local users to overwrite arbitrary files via a symlink attack on files used for initialization.
{
"affected": [],
"aliases": [
"CVE-2007-5664"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-04-16T18:05:00Z",
"severity": "MODERATE"
},
"details": "db2dasrrm in the DB2 Administration Server (DAS) in IBM DB2 Universal Database 9.5 before Fix Pack 1, 9.1 before Fix Pack 4a, and 8 before FixPak 16 allows local users to overwrite arbitrary files via a symlink attack on files used for initialization.",
"id": "GHSA-5r7f-6hmm-m99p",
"modified": "2022-05-01T18:35:41Z",
"published": "2022-05-01T18:35:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5664"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41848"
},
{
"type": "WEB",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=688"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/29784"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/27870"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1019852"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/1237/references"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5R8P-H2WH-WVQ8
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-10-25 19:00Improper privileges management vulnerability in McAfee Endpoint Security (ENS) Windows prior to 10.7.0 September 2021 Update allows local users to access files which they would otherwise not have access to via manipulating junction links to redirect McAfee folder operations to an unintended location.
{
"affected": [],
"aliases": [
"CVE-2021-31843"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-17T14:15:00Z",
"severity": "HIGH"
},
"details": "Improper privileges management vulnerability in McAfee Endpoint Security (ENS) Windows prior to 10.7.0 September 2021 Update allows local users to access files which they would otherwise not have access to via manipulating junction links to redirect McAfee folder operations to an unintended location.",
"id": "GHSA-5r8p-h2wh-wvq8",
"modified": "2022-10-25T19:00:31Z",
"published": "2022-05-24T19:14:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31843"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10367"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5RXR-FVX4-FR86
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering.
{
"affected": [],
"aliases": [
"CVE-2025-46636"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T18:15:52Z",
"severity": "MODERATE"
},
"details": "Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access (\u0027Link Following\u0027) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering.",
"id": "GHSA-5rxr-fvx4-fr86",
"modified": "2025-12-09T18:30:45Z",
"published": "2025-12-09T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46636"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000394657/dsa-2025-442"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5V72-G8C6-FHCJ
Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2024-11-23 03:31Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the PSANHost executable. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23402.
{
"affected": [],
"aliases": [
"CVE-2024-7242"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T22:15:17Z",
"severity": "HIGH"
},
"details": "Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the PSANHost executable. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23402.",
"id": "GHSA-5v72-g8c6-fhcj",
"modified": "2024-11-23T03:31:58Z",
"published": "2024-11-23T03:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7242"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1017"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5VQQ-7M9G-FGPG
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves symlink mishandling in the "libarchive" component. It allows local users to change arbitrary directory permissions via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2017-2390"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-02T01:59:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves symlink mishandling in the \"libarchive\" component. It allows local users to change arbitrary directory permissions via unspecified vectors.",
"id": "GHSA-5vqq-7m9g-fgpg",
"modified": "2022-05-13T01:44:48Z",
"published": "2022-05-13T01:44:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2390"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207601"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207602"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207615"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207617"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97137"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038138"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5W5R-CWGX-PJQM
Vulnerability from github – Published: 2025-06-17 21:32 – Updated: 2025-06-17 21:32A link following vulnerability in the anti-malware solution portion of Trend Micro Deep Security 20.0 agents could allow a local attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-30641"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-17T21:15:37Z",
"severity": "HIGH"
},
"details": "A link following vulnerability in the anti-malware solution portion of Trend Micro Deep Security 20.0 agents could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-5w5r-cwgx-pjqm",
"modified": "2025-06-17T21:32:31Z",
"published": "2025-06-17T21:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30641"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/en-US/solution/KA-0019344"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-240"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5WFQ-MM77-25RH
Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-11 00:01In netdiag, there is a possible symbolic link following due to an improper link resolution. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06308877; Issue ID: ALPS06308877.
{
"affected": [],
"aliases": [
"CVE-2022-20085"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-03T20:15:00Z",
"severity": "MODERATE"
},
"details": "In netdiag, there is a possible symbolic link following due to an improper link resolution. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06308877; Issue ID: ALPS06308877.",
"id": "GHSA-5wfq-mm77-25rh",
"modified": "2022-05-11T00:01:43Z",
"published": "2022-05-04T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20085"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/May-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.