CWE•Variant•Draft•2 recent CVEs
CWE-27Path Traversal: 'dir/../../filename'
Description
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory.
[object Object]
Common consequences
- Confidentiality,Integrity→Read Files or Directories,Modify Files or Directories
Potential mitigations
- Implementation[object Object]
- ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.