CWE-61: UNIX Symbolic Link (Symlink) Following
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
扩展描述
A product that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Files or Directories Modify Files or Directories
潜在缓解措施
阶段: Implementation
描述: Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.
阶段: Architecture and Design
策略: Separation of Privilege
观察示例
参考: CVE-1999-1386
Some versions of Perl follow symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.
参考: CVE-2000-1178
Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.
参考: CVE-2004-0217
Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.
参考: CVE-2003-0517
Symlink attack allows local users to overwrite files.
参考: CVE-2004-0689
Possible interesting example
参考: CVE-2005-1879
Second-order symlink vulnerabilities
参考: CVE-2005-1880
Second-order symlink vulnerabilities
参考: CVE-2005-1916
Symlink in Python program
参考: CVE-2000-0972
Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
参考: CVE-2005-0824
Signal causes a dump that follows symlinks.
参考: CVE-2015-3629
A Libcontainer used in Docker Engine allows local users to escape containerization and write to an arbitrary file on the host system via a symlink attack in an image when respawning a container.
参考: CVE-2020-26277
In a MySQL database deployment tool, users may craft a maliciously packaged tarball that contains symlinks to files external to the target and once unpacked, will execute.
参考: CVE-2021-21272
"Zip Slip" vulnerability in Go-based Open Container Initiative (OCI) registries product allows writing arbitrary files outside intended directory via symbolic links or hard links in a gzipped tarball.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | These are typically reported for temporary files or privileged programs. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | UNIX symbolic link following | - |
关键信息
CWE ID: CWE-61
抽象级别: Compound
结构: Composite
状态: Incomplete
利用可能性: High