Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-37 (路径遍历:’/absolute/pathname/here’) — Vulnerability Class 6

6 vulnerabilities classified as CWE-37 (路径遍历:’/absolute/pathname/here’). AI Chinese analysis included.

CWE-37 represents a critical input validation weakness where applications accept absolute pathnames without sufficient scrutiny, enabling attackers to manipulate file system navigation. This vulnerability is typically exploited by injecting directory traversal sequences, such as "../" or absolute paths, into user-controlled inputs like filenames or URL parameters. By doing so, malicious actors can bypass intended access controls to read sensitive configuration files, exfiltrate private data, or execute arbitrary code from unintended locations within the server’s file hierarchy. To mitigate this risk, developers must implement strict input validation that rejects any absolute paths or traversal characters, ensuring only relative paths within a designated, safe directory are processed. Additionally, using canonicalization techniques to resolve and verify paths before access, combined with least-privilege file system permissions, significantly reduces the attack surface and prevents unauthorized file system traversal.

MITRE CWE Description
The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Common Consequences (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
Mitigations (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2024-12806 SonicWALL SonicOS 安全漏洞 — SonicOS 6.5 -2025-01-09
CVE-2023-20087 Cisco Identity Services Engine Arbitrary File Download Vulnerabilities — Cisco Identity Services Engine Software 4.9 Medium2023-05-18
CVE-2023-20077 Cisco Identity Services Engine Arbitrary File Download Vulnerabilities — Cisco Identity Services Engine Software 4.9 Medium2023-05-18
CVE-2022-20962 Cisco Identity Services Engine 路径遍历漏洞 — Cisco Identity Services Engine Software 3.8 Low2022-11-03
CVE-2022-25347 Delta Electronics DIAEnergie Path Traversal — DIAEnergie 9.8 Critical2022-03-29
CVE-2018-10498 Samsung Email 信息泄露漏洞 — Samsung Email 5.5 -2018-09-24

Vulnerabilities classified as CWE-37 (路径遍历:’/absolute/pathname/here’) represent 6 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.