Category: SFP Secondary Cluster: Path Traversal
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | This vulnerability occurs when an application builds a file path using user input but fails to properly validate it, allowing an attacker to break out of the intended directory and access files or folders anywhere on the server. |
| CWE-23 | Relative Path Traversal | This vulnerability occurs when an application builds file paths using user-supplied input without properly validating or sanitizing it. Attackers can exploit this by inserting special directory traversal sequences like '..' to access files and directories outside the intended restricted folder. |
| CWE-24 | Path Traversal: '../filedir' | Path traversal, often called directory traversal, occurs when an application builds a file path using user input without properly blocking sequences like '../'. This allows an attacker to break out of the intended directory and access files or folders anywhere on the server. |
| CWE-25 | Path Traversal: '/../filedir' | This vulnerability, often called directory traversal, occurs when an application builds a file path using user input without properly blocking sequences like '/../'. This lets an attacker break out of the intended directory and access files or folders elsewhere on the server. |
| CWE-26 | Path Traversal: '/dir/../filename' | This vulnerability occurs when an application builds a file path using user input but fails to properly block directory traversal sequences like '/dir/../filename'. This allows an attacker to break out of the intended restricted directory and access files or folders elsewhere on the system. |
| CWE-27 | Path Traversal: 'dir/../../filename' | This vulnerability occurs when an application builds file paths using user input but fails to properly block sequences like 'dir/../../filename'. Attackers can exploit this by injecting multiple '../' segments to escape the intended directory and access unauthorized files or folders elsewhere on the system. |
| CWE-28 | Path Traversal: '..\filedir' | This vulnerability occurs when an application builds a file path using user input but fails to block or properly handle '..\' sequences. This oversight allows an attacker to break out of the intended directory and navigate to unauthorized locations in the file system. |
| CWE-29 | Path Traversal: '\..\filename' | This vulnerability occurs when an application builds file paths using user input but fails to block '\..\filename' sequences. Attackers can use these leading backslash and dot-dot sequences to escape the intended directory and access unauthorized files or folders elsewhere on the system. |
| CWE-30 | Path Traversal: '\dir\..\filename' | This vulnerability occurs when an application builds file paths using user input but fails to properly sanitize sequences like '\dir\..\filename'. Attackers can exploit this to escape the intended directory and access unauthorized files or folders elsewhere on the system. |
| CWE-31 | Path Traversal: 'dir\..\..\filename' | This vulnerability occurs when an application builds file paths using user input but fails to properly block sequences like 'dir\..\..\filename'. Attackers can use these multiple backslash-dot-dot sequences to escape the intended directory and access files or folders anywhere on the file system. |
| CWE-32 | Path Traversal: '...' (Triple Dot) | This vulnerability occurs when an application builds file paths using user input but fails to properly filter out '...' (triple dot) sequences. Attackers can exploit this to escape restricted directories and access unauthorized files or folders on the server. |
| CWE-33 | Path Traversal: '....' (Multiple Dot) | This vulnerability occurs when an application builds file paths using user input but fails to properly filter sequences of multiple dots ('....'). Attackers can exploit this to break out of the intended directory and access unauthorized files or folders elsewhere on the system. |
| CWE-34 | Path Traversal: '....//' | This vulnerability occurs when an application builds file paths using user input but fails to properly sanitize '....//' sequences. Attackers can use this pattern to break out of the intended directory and access unauthorized files or folders elsewhere on the system. |
| CWE-35 | Path Traversal: '.../...//' | This vulnerability occurs when an application builds file paths using user input but fails to properly sanitize the '.../...//' sequence. Attackers can use this specific pattern to break out of the intended directory and access unauthorized files or folders elsewhere on the system. |
| CWE-36 | Absolute Path Traversal | This vulnerability occurs when an application builds file paths using user input without properly blocking absolute paths like '/etc/passwd' or 'C:\Windows\system32'. Attackers can exploit this to escape the intended directory and access sensitive files anywhere on the server. |
| CWE-37 | Path Traversal: '/absolute/pathname/here' | This vulnerability occurs when an application accepts user input containing absolute file paths (starting with a forward slash like '/etc/passwd') and uses it to access files without proper security checks. Attackers can exploit this to read, write, or delete sensitive files anywhere on the server's filesystem. |
| CWE-38 | Path Traversal: '\absolute\pathname\here' | This vulnerability occurs when an application accepts user-supplied input containing Windows-style absolute paths (like '\absolute\pathname\here') without proper validation. Attackers can exploit this to navigate outside the intended directory and access or manipulate sensitive files anywhere on the server's file system. |
| CWE-39 | Path Traversal: 'C:dirname' | This vulnerability occurs when an application accepts user input containing Windows drive letters (like 'C:dirname') without proper validation, allowing attackers to redirect file operations to unintended locations or access arbitrary files on the system. |
| CWE-40 | Path Traversal: '\\UNC\share\name\' (Windows UNC Share) | This vulnerability occurs when an application accepts user input containing a Windows UNC share path (like '\\UNC\share\name') without proper validation, allowing attackers to redirect file operations to unintended network locations or arbitrary files. |
| CWE-41 | Improper Resolution of Path Equivalence | This vulnerability occurs when an application fails to properly handle different text representations that refer to the same file or directory on the system. Attackers can use special characters or alternative naming conventions to bypass security checks and access restricted files. |
| CWE-42 | Path Equivalence: 'filename.' (Trailing Dot) | This vulnerability occurs when a system accepts file or directory paths that end with a dot (like 'file.txt.' or 'folder.') without properly checking them. Attackers can exploit this to bypass security checks, potentially accessing files or directories they shouldn't be able to reach. |
| CWE-428 | Unquoted Search Path or Element | This vulnerability occurs when a program uses a file path or command that contains spaces and is not enclosed in quotes. The operating system may misinterpret where the executable file is located, potentially allowing an attacker to run a malicious program with higher privileges. |
| CWE-43 | Path Equivalence: 'filename....' (Multiple Trailing Dot) | This vulnerability occurs when an application accepts file or directory paths containing multiple trailing dots (like 'file....') without proper validation. Attackers can exploit this to bypass security checks, potentially accessing files or directories outside the intended scope. |
| CWE-44 | Path Equivalence: 'file.name' (Internal Dot) | This vulnerability occurs when an application accepts file paths containing internal dots (like 'file.ordir') without properly checking them. Attackers can exploit this to bypass security checks, traverse directories, and access sensitive files or system areas they shouldn't be able to reach. |
| CWE-45 | Path Equivalence: 'file...name' (Multiple Internal Dot) | This vulnerability occurs when an application accepts file paths containing sequences of multiple internal dots (like 'file...name') without proper validation. Attackers can exploit this ambiguity to bypass security checks, traverse directories, and access sensitive files or system areas they shouldn't be able to reach. |
| CWE-46 | Path Equivalence: 'filename ' (Trailing Space) | This vulnerability occurs when an application processes file paths that end with a space character (like 'document.txt ') without properly normalizing or rejecting them. Because many operating systems ignore trailing spaces in paths, this can cause the application to resolve the path differently than intended, potentially allowing attackers to access unauthorized files or directories. |
| CWE-47 | Path Equivalence: ' filename' (Leading Space) | This vulnerability occurs when an application accepts file or directory paths that begin with a space character (like ' filename'), without properly normalizing or validating the input. This can trick the file system's resolution logic, potentially allowing attackers to access unauthorized files or directories outside the intended scope. |
| CWE-48 | Path Equivalence: 'file name' (Internal Whitespace) | This vulnerability occurs when an application accepts file paths containing internal spaces (like 'file name') without proper validation. Attackers can exploit this ambiguity to bypass security checks, potentially accessing files or directories outside the intended scope. |
| CWE-49 | Path Equivalence: 'filename/' (Trailing Slash) | This vulnerability occurs when an application accepts file or directory paths that end with a slash (e.g., 'documents/') without properly normalizing them. This can confuse the system's path resolution logic, potentially allowing an attacker to bypass security checks and access files or directories they shouldn't. |
| CWE-50 | Path Equivalence: '//multiple/leading/slash' | This vulnerability occurs when an application accepts file or directory paths containing multiple leading slashes (like '//multiple/leading/slash') without proper normalization. Attackers can exploit this ambiguity to bypass security checks, potentially accessing files or directories outside the intended scope. |
| CWE-51 | Path Equivalence: '/multiple//internal/slash' | This vulnerability occurs when an application accepts file or directory paths containing multiple consecutive forward slashes (e.g., '/var//www///html') without normalizing them. Attackers can exploit this ambiguity to bypass security checks and access files or directories outside the intended scope. |
| CWE-52 | Path Equivalence: '/multiple/trailing/slash//' | This vulnerability occurs when an application accepts file or directory paths containing multiple consecutive forward slashes (like '/multiple/trailing/slash//') without normalizing them. Different systems may interpret these duplicate slashes differently, potentially allowing attackers to bypass security checks and access restricted files or directories. |
| CWE-53 | Path Equivalence: '\multiple\\internal\backslash' | This vulnerability occurs when an application accepts file paths containing sequences of multiple internal backslashes (like '\multiple\\internal\\backslash') without properly normalizing them. This can confuse the system's path resolution logic, potentially allowing attackers to access files or directories outside the intended scope. |
| CWE-54 | Path Equivalence: 'filedir\' (Trailing Backslash) | This vulnerability occurs when an application accepts file or directory paths that end with a backslash (like 'filedir\') without properly normalizing or validating them. This trailing backslash can cause the system to interpret the path ambiguously, potentially allowing attackers to bypass security checks and access files or directories outside the intended scope. |
| CWE-55 | Path Equivalence: '/./' (Single Dot Directory) | This vulnerability occurs when an application accepts file paths containing '/./' (single dot directory) sequences without proper validation. Attackers can exploit this to bypass intended directory structures, potentially accessing sensitive files or navigating to unauthorized locations within the file system. |
| CWE-56 | Path Equivalence: 'filedir*' (Wildcard) | This vulnerability occurs when an application accepts file or directory paths containing an asterisk wildcard ('*') without proper validation. Attackers can exploit this to bypass intended access controls, potentially reading, writing, or executing files in unauthorized locations. |
| CWE-57 | Path Equivalence: 'fakedir/../realdir/filename' | This vulnerability occurs when an application uses external input to build file paths, allowing attackers to bypass access controls. By submitting a path like 'fakedir/../realdir/filename', they can navigate out of a restricted directory ('fakedir') and into a protected one ('realdir'), accessing files the security mechanisms were designed to block. |
| CWE-58 | Path Equivalence: Windows 8.3 Filename | This vulnerability occurs when an application's security controls successfully block access to a file's full name on Windows, but fail to protect the shorter 8.3 format version of the same filename, creating a bypassable loophole. |
| CWE-66 | Improper Handling of File Names that Identify Virtual Resources | This vulnerability occurs when software incorrectly processes a filename that points to a 'virtual' resource—like a device, pipe, or internal system object—instead of a regular file. The application mistakenly performs file operations (like read, write, or copy) on this non-file resource, which can lead to crashes, data exposure, or unexpected system behavior. |
| CWE-67 | Improper Handling of Windows Device Names | This vulnerability occurs when an application builds file paths from user input but fails to properly recognize or handle Windows reserved device names like AUX, CON, or COM1. Attackers can exploit this by submitting these special names, which typically causes the application to crash, hang, or leak sensitive information when it tries to access them as regular files. |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference | This vulnerability occurs when software uses a name, path, or reference to access a resource, but that identifier points to something outside the area the application is supposed to control, leading to unauthorized access or manipulation. |
| CWE-72 | Improper Handling of Apple HFS+ Alternate Data Stream Path | This vulnerability occurs when software fails to correctly process HFS+ file system paths that point to alternate data streams, such as a file's data or resource fork. |
| CWE-73 | External Control of File Name or Path | This vulnerability occurs when an application uses unvalidated user input to construct file or directory paths for filesystem operations. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.