CWE-427: Uncontrolled Search Path Element
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
常见后果
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Code or Commands
潜在缓解措施
阶段: Architecture and Design Implementation
策略: Attack Surface Reduction
描述: Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
阶段: Implementation
策略: Attack Surface Reduction
描述: When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
阶段: Implementation
策略: Attack Surface Reduction
描述: Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
阶段: Implementation
描述: Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
阶段: Implementation
描述: Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2023-25815
chain: a change in an underlying package causes the gettext function to use implicit initialization with a hard-coded path (CWE-1419) under the user-writable C:\ drive, introducing an untrusted search path element (CWE-427) that enables spoofing of messages.
参考: CVE-2022-4826
Go-based git extension on Windows can search for and execute a malicious "..exe" in a repository because Go searches the current working directory if git.exe is not found in the PATH
参考: CVE-2020-26284
A Static Site Generator built in Go, when running on Windows, searches the current working directory for a command, possibly allowing code execution using a malicious .exe or .bat file with the name being searched
参考: CVE-2022-24765
Windows-based fork of git creates a ".git" folder in the C: drive, allowing local attackers to create a .git folder with a malicious config file
参考: CVE-2019-1552
SSL package searches under "C:/usr/local" for configuration files and other critical data, but C:/usr/local might be world-writable.
参考: CVE-2010-3402
"DLL hijacking" issue in document editor.
参考: CVE-2010-3397
"DLL hijacking" issue in encryption software.
参考: CVE-2010-3138
"DLL hijacking" issue in library used by multiple media players.
参考: CVE-2010-3152
"DLL hijacking" issue in illustration program.
参考: CVE-2010-3147
"DLL hijacking" issue in address book.
参考: CVE-2010-3135
"DLL hijacking" issue in network monitoring software.
参考: CVE-2010-3131
"DLL hijacking" issue in web browser.
参考: CVE-2010-1795
"DLL hijacking" issue in music player/organizer.
参考: CVE-2002-1576
Product uses the current working directory to find and execute a program, which allows local users to gain privileges by creating a symlink that points to a malicious version of the program.
参考: CVE-1999-1461
Product trusts the PATH environmental variable to find and execute a program, which allows local users to obtain root access by modifying the PATH to point to a malicous version of that program.
参考: CVE-1999-1318
Software uses a search path that includes the current working directory (.), which allows local users to gain privileges via malicious programs.
参考: CVE-2003-0579
Admin software trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user.
参考: CVE-2000-0854
When a document is opened, the directory of that document is first used to locate DLLs , which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document.
参考: CVE-2001-0943
Database trusts the PATH environment variable to find and execute programs, which allows local users to modify the PATH to point to malicious programs.
参考: CVE-2001-0942
Database uses an environment variable to find and execute a program, which allows local users to execute arbitrary programs by changing the environment variable.
参考: CVE-2001-0507
Server uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a malicious file.
参考: CVE-2002-2017
Product allows local users to execute arbitrary code by setting an environment variable to reference a malicious program.
参考: CVE-1999-0690
Product includes the current directory in root's PATH variable.
参考: CVE-2001-0912
Error during packaging causes product to include a hard-coded, non-standard directory in search path.
参考: CVE-2001-0289
Product searches current working directory for configuration file.
参考: CVE-2005-1705
Product searches current working directory for configuration file.
参考: CVE-2005-1307
Product executable other program from current working directory.
参考: CVE-2002-2040
Untrusted path.
参考: CVE-2005-2072
Modification of trusted environment variable leads to untrusted path vulnerability.
参考: CVE-2005-1632
Product searches /tmp for modules before other paths.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
操作系统
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Uncontrolled Search Path Element | - |