CWE-36: Absolute Path Traversal
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
扩展描述
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
常见后果
影响范围: Integrity Confidentiality Availability
技术影响: Execute Unauthorized Code or Commands
说明: The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
影响范围: Integrity
技术影响: Modify Files or Directories
说明: The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.
影响范围: Confidentiality
技术影响: Read Files or Directories
说明: The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the product from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the product.
潜在缓解措施
阶段: Implementation
策略: Input Validation
有效性: High
阶段: Implementation
策略: Input Validation
描述: Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
阶段: Operation
策略: Firewall
描述: Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
有效性: Moderate
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2024-0520
Product for managing datasets for AI model training and evaluation allows both relative (CWE-23) and absolute (CWE-36) path traversal to overwrite files via the Content-Disposition header
参考: CVE-2022-31503
Python package constructs filenames using an unsafe os.path.join call on untrusted input, allowing absolute path traversal because os.path.join resets the pathname to an absolute path that is specified as part of the input.
参考: CVE-2002-1345
Multiple FTP clients write arbitrary files via absolute paths in server responses
参考: CVE-2001-1269
ZIP file extractor allows full path
参考: CVE-2002-1818
Path traversal using absolute pathname
参考: CVE-2002-1913
Path traversal using absolute pathname
参考: CVE-2005-2147
Path traversal using absolute pathname
参考: CVE-2000-0614
Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output.
参考: CVE-1999-1263
Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified.
参考: CVE-2003-0753
Remote attackers can read arbitrary files via a full pathname to the target file in config parameter.
参考: CVE-2002-1525
Remote attackers can read arbitrary files via an absolute pathname.
参考: CVE-2001-0038
Remote attackers can read arbitrary files by specifying the drive letter in the requested URL.
参考: CVE-2001-0255
FTP server allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname.
参考: CVE-2001-0933
FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument.
参考: CVE-2002-0466
Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages.
参考: CVE-2002-1483
Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form "C:" (Drive letter), "//absolute/path", or ".." .
参考: CVE-2004-2488
FTP server read/access arbitrary files using "C:\" filenames
参考: CVE-2001-0687
FTP server allows a remote attacker to retrieve privileged web server system information by specifying arbitrary paths in the UNC format (\\computername\sharename).
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Absolute Path Traversal | - |
| Software Fault Patterns | SFP16 | Path Traversal | - |