CWE•Variant•Incomplete•0 recent CVEs
CWE-34Path Traversal: '....//'
Description
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.
[object Object]
Common consequences
- Confidentiality,Integrity→Read Files or Directories,Modify Files or Directories
Potential mitigations
- Implementation[object Object]
- ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.