CWE-32 Detail

CWE-32

Path Traversal: '...' (Triple Dot)
Incomplete
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Path Traversal: '...' (Triple Dot)

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory.

General Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Operating Systems

Class: Windows (Sometimes)

Technologies

Class: Not Technology-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
Confidentiality
Integrity		Read Files or Directories, Modify Files or Directories

Observed Examples

References Description

CVE-2001-0467

"\..." in web server

CVE-2001-0615

"..." or "...." in chat server

CVE-2001-0963

"..." in cd command in FTP server

CVE-2001-1193

"..." in cd command in FTP server

CVE-2001-1131

"..." in cd command in FTP server

CVE-2001-0480

read of arbitrary files and directories using GET or CD with "..." in Windows-based FTP server.

CVE-2002-0288

read files using "." and Unicode-encoded "/" or "\" characters in the URL.

CVE-2003-0313

Directory listing of web server using "..."

CVE-2005-1658

Triple dot

Potential Mitigations

Phases : Implementation
Phases : Implementation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Vulnerability Mapping Notes

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notes


Submission

Name Organization Date Date release Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations, Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Maintenance_Notes, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-14 +00:00 updated Description, Maintenance_Notes
CWE Content Team MITRE 2008-11-24 +00:00 updated Observed_Examples
CWE Content Team MITRE 2009-07-27 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2010-06-21 +00:00 updated Description, Maintenance_Notes, Potential_Mitigations
CWE Content Team MITRE 2011-03-29 +00:00 updated Maintenance_Notes, Potential_Mitigations
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2020-02-24 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2021-03-15 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Affected_Resources, Functional_Areas
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.