CWE-36 Detail

CWE-36

Absolute Path Traversal
Draft
2006-07-19
00h00 +00:00
2024-11-19
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Absolute Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

CWE Description

This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

General Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
Integrity
Confidentiality
Availability		Execute Unauthorized Code or Commands

Note: The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
IntegrityModify Files or Directories

Note: The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.
ConfidentialityRead Files or Directories

Note: The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.
AvailabilityDoS: Crash, Exit, or Restart

Note: The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the product from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the product.

Observed Examples

References Description

CVE-2022-31503

Python package constructs filenames using an unsafe os.path.join call on untrusted input, allowing absolute path traversal because os.path.join resets the pathname to an absolute path that is specified as part of the input.

CVE-2002-1345

Multiple FTP clients write arbitrary files via absolute paths in server responses

CVE-2001-1269

ZIP file extractor allows full path

CVE-2002-1818

Path traversal using absolute pathname

CVE-2002-1913

Path traversal using absolute pathname

CVE-2005-2147

Path traversal using absolute pathname

CVE-2000-0614

Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output.

CVE-1999-1263

Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified.

CVE-2003-0753

Remote attackers can read arbitrary files via a full pathname to the target file in config parameter.

CVE-2002-1525

Remote attackers can read arbitrary files via an absolute pathname.

CVE-2001-0038

Remote attackers can read arbitrary files by specifying the drive letter in the requested URL.

CVE-2001-0255

FTP server allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname.

CVE-2001-0933

FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument.

CVE-2002-0466

Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages.

CVE-2002-1483

Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form "C:" (Drive letter), "//absolute/path", or ".." .

CVE-2004-2488

FTP server read/access arbitrary files using "C:\" filenames

CVE-2001-0687

FTP server allows a remote attacker to retrieve privileged web server system information by specifying arbitrary paths in the UNC format (\\computername\sharename).

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID Attack Pattern Name
CAPEC-597 Absolute Path Traversal
An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.

References

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-1448

Secure by Design Alert: Eliminating Directory Traversal Vulnerabilities in Software
Cybersecurity and Infrastructure Security Agency.
https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-directory-traversal-vulnerabilities-software

Submission

Name Organization Date Date release Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Sean Eidemiller Cigital 2008-07-01 +00:00 added/updated demonstrative examples
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-14 +00:00 updated Description
CWE Content Team MITRE 2010-02-16 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2010-06-21 +00:00 updated Demonstrative_Examples, Description
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-09-13 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-01-19 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2022-10-13 +00:00 updated Observed_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Common_Consequences, Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Demonstrative_Examples, Detection_Factors, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-07-16 +00:00 updated References
CWE Content Team MITRE 2024-11-19 +00:00 updated Demonstrative_Examples