CWE-23: Relative Path Traversal
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
常见后果
影响范围: Integrity Confidentiality Availability
技术影响: Execute Unauthorized Code or Commands
说明: The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
影响范围: Integrity
技术影响: Modify Files or Directories
说明: The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.
影响范围: Confidentiality
技术影响: Read Files or Directories
说明: The attacker may be able read the contents of unexpected files and expose sensitive data by traversing the file system to access files or directories that are outside of the restricted directory. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the product from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the product.
潜在缓解措施
阶段: Implementation
策略: Input Validation
阶段: Implementation
策略: Input Validation
阶段: Operation
策略: Firewall
描述: Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
有效性: Moderate
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2024-37032
Large language model (LLM) management tool does not validate the format of a digest value (CWE-1287) from a private, untrusted model registry, enabling relative path traversal (CWE-23), a.k.a. Probllama
参考: CVE-2024-0520
Product for managing datasets for AI model training and evaluation allows both relative (CWE-23) and absolute (CWE-36) path traversal to overwrite files via the Content-Disposition header
参考: CVE-2022-45918
Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24)
参考: CVE-2019-20916
Python package manager does not correctly restrict the filename specified in a Content-Disposition header, allowing arbitrary file read using path traversal sequences such as "../"
参考: CVE-2022-24877
directory traversal in Go-based Kubernetes operator app allows accessing data from the controller's pod file system via ../ sequences in a yaml file
参考: CVE-2020-4053
a Kubernetes package manager written in Go allows malicious plugins to inject path traversal sequences into a plugin archive ("Zip slip") to copy a file outside the intended directory
参考: CVE-2021-21972
Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV.
参考: CVE-2019-10743
Go-based archive library allows extraction of files to locations outside of the target folder with "../" path traversal sequences in filenames in a zip file, aka "Zip Slip"
参考: CVE-2002-0298
Server allows remote attackers to cause a denial of service via certain HTTP GET requests containing a %2e%2e (encoded dot-dot), several "/../" sequences, or several "../" in a URI.
参考: CVE-2002-0661
"\" not in denylist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.
参考: CVE-2002-0946
Arbitrary files may be read files via ..\ (dot dot) sequences in an HTTP request.
参考: CVE-2002-1042
Directory traversal vulnerability in search engine for web server allows remote attackers to read arbitrary files via "..\" sequences in queries.
参考: CVE-2002-1209
Directory traversal vulnerability in FTP server allows remote attackers to read arbitrary files via "..\" sequences in a GET request.
参考: CVE-2002-1178
Directory traversal vulnerability in servlet allows remote attackers to execute arbitrary commands via "..\" sequences in an HTTP request.
参考: CVE-2002-1987
Protection mechanism checks for "/.." but doesn't account for Windows-specific "\.." allowing read of arbitrary files.
参考: CVE-2005-2142
Directory traversal vulnerability in FTP server allows remote authenticated attackers to list arbitrary directories via a "\.." sequence in an LS command.
参考: CVE-2002-0160
The administration function in Access Control Server allows remote attackers to read HTML, Java class, and image files outside the web root via a "..\.." sequence in the URL to port 2002.
参考: CVE-2001-0467
"\..." in web server
参考: CVE-2001-0963
"..." in cd command in FTP server
参考: CVE-2001-1193
"..." in cd command in FTP server
参考: CVE-2001-1131
"..." in cd command in FTP server
参考: CVE-2001-0480
read of arbitrary files and directories using GET or CD with "..." in Windows-based FTP server.
参考: CVE-2002-0288
read files using "." and Unicode-encoded "/" or "\" characters in the URL.
参考: CVE-2003-0313
Directory listing of web server using "..."
参考: CVE-2005-1658
Triple dot
参考: CVE-2000-0240
read files via "/........../" in URL
参考: CVE-2000-0773
read files via "...." in web server
参考: CVE-1999-1082
read files via "......" in web server (doubled triple dot?)
参考: CVE-2004-2121
read files via "......" in web server (doubled triple dot?)
参考: CVE-2001-0491
multiple attacks using "..", "...", and "...." in different commands
参考: CVE-2001-0615
"..." or "...." in chat server
参考: CVE-2005-2169
chain: ".../...//" bypasses protection mechanism using regexp's that remove "../" resulting in collapse into an unsafe value "../" (CWE-182) and resultant path traversal.
参考: CVE-2005-0202
".../....///" bypasses regexp's that remove "./" and "../"
参考: CVE-2004-1670
Mail server allows remote attackers to create arbitrary directories via a ".." or rename arbitrary files via a "....//" in user supplied parameters.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Relative Path Traversal | - |
| Software Fault Patterns | SFP16 | Path Traversal | - |