Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-249 — Vulnerability Class 1

1 vulnerabilities classified as CWE-249. AI Chinese analysis included.

CWE-249, now deprecated due to conceptual overlap with CWE-785, originally described path manipulation vulnerabilities where applications fail to properly sanitize user-supplied input before using it in file system operations. Attackers typically exploit this weakness by injecting special characters, such as dots and slashes, into input fields to traverse directory structures or access unauthorized files outside the intended scope. This often leads to sensitive data exposure, denial of service, or remote code execution if the manipulated path points to executable scripts. To prevent such exploits, developers must rigorously validate and sanitize all user inputs, ensuring they conform to expected formats. Implementing strict allowlists for permitted characters and using canonicalization techniques to resolve symbolic links further mitigates risks. Additionally, employing secure coding practices like chroot jails or sandboxing limits the potential impact of any successful path traversal attempt.

MITRE CWE Description
This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785. This entry was deprecated for several reasons. The primary reason is over-loading of the "path manipulation" term and the description. The original description for this entry was the same as that for the "Often Misused: File System" item in the original Seven Pernicious Kingdoms paper. However, Seven Pernicious Kingdoms also has a "Path Manipulation" phrase that is for external control of pathnames (CWE-73), which is a factor in symbolic link following and path traversal, neither of which is explicitly mentioned in 7PK. Fortify uses the phrase "Often Misused: Path Manipulation" for a broader range of problems, generally for issues related to buffer management. Given the multiple conflicting uses of this term, there is a chance that CWE users may have incorrectly mapped to this entry. The second reason for deprecation is an implied combination of multiple weaknesses within buffer-handling functions. The focus of this entry was generally on the path-conversion functions and their association with buffer overflows. However, some of Fortify's Vulncat entries have the term "path manipulation" but describe a non-overflow weakness in which the buffer is not guaranteed to contain the entire pathname, i.e., the…
CVE IDTitleCVSSSeverityPublished
CVE-2019-3932 Crestron Electronics AM-100和Crestron Electronics AM-101 信任管理问题漏洞 — Crestron AirMedia 9.8 -2019-04-30

Vulnerabilities classified as CWE-249 represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.