CWE -
CWE-36: Absolute Path Traversal (4.15) ([original](http://cwe.mitre.org/data/definitions/36.html)) ([raw](?raw))| CWE Glossary Definition |  |
|---|---|
Weakness ID: 36
Vulnerability Mapping: ALLOWEDThis CWE ID may be used to map to real-world vulnerabilities
Abstraction: BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.
Description
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
Extended Description
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Common Consequences
This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
| Scope | Impact | Likelihood |
|---|---|---|
| IntegrityConfidentialityAvailability | Technical Impact: _Execute Unauthorized Code or Commands_The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries. | |
| Integrity | Technical Impact: _Modify Files or Directories_The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication. | |
| Confidentiality | Technical Impact: _Read Files or Directories_The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system. | |
| Availability | Technical Impact: _DoS: Crash, Exit, or Restart_The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the product from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the product. |
Relationships
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "Research Concepts" (CWE-1000)
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf |  Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| ParentOf |  Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. |
37 | Path Traversal: '/absolute/pathname/here' |
| ParentOf | Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. |
38 | Path Traversal: '\absolute\pathname\here' |
| ParentOf | Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. |
39 | Path Traversal: 'C:dirname' |
| ParentOf | Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. |
40 | Path Traversal: '\\UNC\share\name\' (Windows UNC Share) |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "CISQ Quality Measures (2020)" (CWE-1305)
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf | Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "CISQ Data Protection Measures" (CWE-1340)
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf | Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Modes Of Introduction
The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
| Phase | Note |
|---|---|
| Implementation |
Applicable Platforms
This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
Languages
Class: Not Language-Specific (Undetermined Prevalence)
Demonstrative Examples
Example 1
In the example below, the path to a dictionary file is read from a system property and used to initialize a File object.
(bad code)
Example Language: Java
String filename = System.getProperty("com.domain.application.dictionaryFile");
File dictionaryFile = new File(filename);
However, the path is not validated or modified to prevent it from containing relative or absolute path sequences before creating the File object. This allows anyone who can control the system property to determine what file is used. Ideally, the path should be resolved relative to some kind of application or user home directory.
Example 2
This script intends to read a user-supplied file from the current directory. The user inputs the relative path to the file and the script uses Python's os.path.join() function to combine the path to the current working directory with the provided path to the specified file. This results in an absolute path to the desired file. If the file does not exist when the script attempts to read it, an error is printed to the user.
(bad code)
Example Language: Python
import os
import sys
def main():
filename = sys.argv[1]
path = os.path.join(os.getcwd(), filename)
try:
with open(path, 'r') as f:
file_data = f.read()
except FileNotFoundError as e:
print("Error - file not found")
main()
However, if the user supplies an absolute path, the os.path.join() function will discard the path to the current working directory and use only the absolute path provided. For example, if the current working directory is /home/user/documents, but the user inputs /etc/passwd, os.path.join() will use only /etc/passwd, as it is considered an absolute path. In the above scenario, this would cause the script to access and read the /etc/passwd file.
(good code)
Example Language: Python
import os
import sys
def main():
filename = sys.argv[1]
path = os.path.normpath(f"{os.getcwd()}{os.sep}{filename}")
try:
with open(path, 'r') as f:
file_data = f.read()
except FileNotFoundError as e:
print("Error - file not found")
main()
The constructed path string uses os.sep to add the appropriate separation character for the given operating system (e.g. '\' or '/') and the call to os.path.normpath() removes any additional slashes that may have been entered - this may occur particularly when using a Windows path. By putting the pieces of the path string together in this fashion, the script avoids a call to os.path.join() and any potential issues that might arise if an absolute path is entered. With this version of the script, if the current working directory is /home/user/documents, and the user inputs /etc/passwd, the resulting path will be /home/user/documents/etc/passwd. The user is therefore contained within the current working directory as intended.
Observed Examples
| Reference | Description |
|---|---|
| CVE-2022-31503 | Python package constructs filenames using an unsafe os.path.join call on untrusted input, allowing absolute path traversal because os.path.join resets the pathname to an absolute path that is specified as part of the input. |
| CVE-2002-1345 | Multiple FTP clients write arbitrary files via absolute paths in server responses |
| CVE-2001-1269 | ZIP file extractor allows full path |
| CVE-2002-1818 | Path traversal using absolute pathname |
| CVE-2002-1913 | Path traversal using absolute pathname |
| CVE-2005-2147 | Path traversal using absolute pathname |
| CVE-2000-0614 | Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output. |
| CVE-1999-1263 | Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified. |
| CVE-2003-0753 | Remote attackers can read arbitrary files via a full pathname to the target file in config parameter. |
| CVE-2002-1525 | Remote attackers can read arbitrary files via an absolute pathname. |
| CVE-2001-0038 | Remote attackers can read arbitrary files by specifying the drive letter in the requested URL. |
| CVE-2001-0255 | FTP server allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname. |
| CVE-2001-0933 | FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument. |
| CVE-2002-0466 | Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages. |
| CVE-2002-1483 | Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form "C:" (Drive letter), "//absolute/path", or ".." . |
| CVE-2004-2488 | FTP server read/access arbitrary files using "C:\" filenames |
| CVE-2001-0687 | FTP server allows a remote attacker to retrieve privileged web server system information by specifying arbitrary paths in the UNC format (\\computername\sharename). |
Detection Methods
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Memberships
This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
Vulnerability Mapping Notes
| Usage: ALLOWED(this CWE ID could be used to map to real-world vulnerabilities) |
|---|
| Reason: Acceptable-Use |
| Rationale: This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. |
| Comments: Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. |
Taxonomy Mappings
| Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Absolute Path Traversal | ||
| Software Fault Patterns | SFP16 | Path Traversal |
References
Content History
| Submissions |
||
|---|---|---|
| Submission Date | Submitter | Organization |
| 2006-07-19(CWE Draft 3, 2006-07-19) | PLOVER | |
| Modifications |
||
| Modification Date | Modifier | Organization |
| 2008-07-01 | Sean Eidemiller | Cigital |
| added/updated demonstrative examples | ||
| 2008-07-01 | Eric Dalci | Cigital |
| updated Time_of_Introduction | ||
| 2008-09-08 | CWE Content Team | MITRE |
| updated Relationships, Taxonomy_Mappings | ||
| 2008-10-14 | CWE Content Team | MITRE |
| updated Description | ||
| 2010-02-16 | CWE Content Team | MITRE |
| updated Demonstrative_Examples | ||
| 2010-06-21 | CWE Content Team | MITRE |
| updated Demonstrative_Examples, Description | ||
| 2011-06-01 | CWE Content Team | MITRE |
| updated Common_Consequences, Relationships, Taxonomy_Mappings | ||
| 2011-09-13 | CWE Content Team | MITRE |
| updated Relationships, Taxonomy_Mappings | ||
| 2012-05-11 | CWE Content Team | MITRE |
| updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships | ||
| 2012-10-30 | CWE Content Team | MITRE |
| updated Potential_Mitigations | ||
| 2014-07-30 | CWE Content Team | MITRE |
| updated Relationships, Taxonomy_Mappings | ||
| 2017-01-19 | CWE Content Team | MITRE |
| updated Related_Attack_Patterns | ||
| 2017-11-08 | CWE Content Team | MITRE |
| updated Applicable_Platforms | ||
| 2020-02-24 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2020-08-20 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2020-12-10 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2021-03-15 | CWE Content Team | MITRE |
| updated Demonstrative_Examples | ||
| 2022-10-13 | CWE Content Team | MITRE |
| updated Observed_Examples | ||
| 2023-01-31 | CWE Content Team | MITRE |
| updated Common_Consequences, Description | ||
| 2023-04-27 | CWE Content Team | MITRE |
| updated Demonstrative_Examples, Detection_Factors, Relationships, Time_of_Introduction | ||
| 2023-06-29 | CWE Content Team | MITRE |
| updated Mapping_Notes | ||
| 2024-07-16(CWE 4.15, 2024-07-16) | CWE Content Team | MITRE |
| updated References |
More information is available — Please edit the custom filter or select a different filter.