Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-32 (路径遍历:’…’ (三个点号)) — Vulnerability Class 2

2 vulnerabilities classified as CWE-32 (路径遍历:’…’ (三个点号)). AI Chinese analysis included.

CWE-32 represents a path traversal vulnerability where software fails to properly sanitize triple-dot sequences within user-supplied input used to construct file paths. Attackers exploit this weakness by injecting specific character sequences, such as ‘...’, into input fields to bypass directory restrictions and access sensitive files located outside the intended scope. This manipulation allows the application to resolve the path incorrectly, granting unauthorized access to critical system resources or confidential data. To mitigate this risk, developers must implement rigorous input validation, ensuring that all path components are strictly checked against allowed characters and patterns. Additionally, using canonicalization techniques to resolve paths before access checks, combined with strict whitelisting of permitted directories, effectively neutralizes these traversal attempts and secures the application’s file system integrity.

MITRE CWE Description
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The '...' manipulation is useful for bypassing some path traversal protection schemes. On some Windows systems, it is equivalent to "..\.." and might bypass checks that assume only two dots are valid. Incomplete filtering, such as removal of "./" sequences, can ultimately produce valid ".." sequences due to a collapse into unsafe value (CWE-182).
Common Consequences (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
Mitigations (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2024-41784 IBM Sterling Secure Proxy directory traversal — Sterling Secure Proxy 7.5 High2024-11-15
CVE-2024-6049 Unauthenticated Path Traversal — vsm LTC Time Sync (vTimeSync) 7.5AIHighAI2024-10-24

Vulnerabilities classified as CWE-32 (路径遍历:’…’ (三个点号)) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.