CWE-37: Path Traversal: '/absolute/pathname/here'
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Files or Directories Modify Files or Directories
潜在缓解措施
阶段: Implementation
策略: Input Validation
有效性: High
阶段: Implementation
策略: Input Validation
描述: Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
观察示例
参考: CVE-2002-1345
Multiple FTP clients write arbitrary files via absolute paths in server responses
参考: CVE-2001-1269
ZIP file extractor allows full path
参考: CVE-2002-1818
Path traversal using absolute pathname
参考: CVE-2002-1913
Path traversal using absolute pathname
参考: CVE-2005-2147
Path traversal using absolute pathname
参考: CVE-2000-0614
Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | /absolute/pathname/here | - |
| CERT C Secure Coding | FIO05-C | Identify files using multiple file attributes | - |
| Software Fault Patterns | SFP16 | Path Traversal | - |