Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-427 (对搜索路径元素未加控制) — Vulnerability Class 545

545 vulnerabilities classified as CWE-427 (对搜索路径元素未加控制). AI Chinese analysis included.

CWE-427 represents a critical input validation weakness where software relies on an uncontrolled search path to locate resources, allowing unintended actors to manipulate the lookup process. This vulnerability is typically exploited by attackers who place malicious executables or libraries in a directory that precedes legitimate system paths in the search order. When the application executes, it inadvertently loads the attacker-controlled code instead of the intended resource, leading to arbitrary code execution or privilege escalation. Developers mitigate this risk by strictly defining absolute paths for all resource lookups, ensuring that the search order is deterministic and immune to directory manipulation. Additionally, implementing secure environment variable handling and validating the integrity of loaded libraries further prevents attackers from hijacking the execution flow through path traversal techniques.

MITRE CWE Description
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. Although this weakness can occur with any type of resource, it is frequently introduced when a product uses a directory search path to find executables or code libraries, but the path contains a directory that can be modified by an attacker, such as "/tmp" or the current working directory. In Windows-based systems, when the LoadLibrary or LoadLibraryEx function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled: the directory from which the program has been loaded the current working directory In some cases, the attack can be conducted remotely, such as when SMB or WebDAV network shares are used. One or more locations in that path could include the Windows drive root or its subdirectories. This often exists in Linux-based code assuming the controlled nature of the root directory (/) or its subdirectories (/etc, etc), or a code that recursively accesses the parent directory. In Windows, the drive root and some of its subdirectories have weak permissions by default, which makes them uncontrolled. In some Unix-based systems, a PATH might be created that contains an empty element, e.g. by splicing an empty variable into the PATH. This empty element can be interpreted as equivalent to the current working directo…
Common Consequences (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
Mitigations (5)
Architecture and Design, ImplementationHard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
ImplementationWhen invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code ref…
ImplementationRemove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
ImplementationCheck your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
ImplementationUse other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.
Examples (2)
The following code is from a web application that allows users access to an interface through which they can update their password on the system. In this environment, user passwords can be managed using the Network Information System (NIS), which is commonly used on UNIX systems. When performing NIS updates, part of the process for updating passwords is to run a make command in the /var/yp directo…
... System.Runtime.getRuntime().exec("make"); ...
Bad · Java
In versions of Go prior to v1.19, the LookPath function would follow the conventions of the runtime OS and look for a program in the directiories listed in the current path [REF-1325].
func ExecuteGitCommand(name string, arg []string) error { c := exec.Command(name, arg...) var err error c.Path, err = exec.LookPath(name) if err != nil { return err } }
Bad · Go
CVE IDTitleCVSSSeverityPublished
CVE-2020-3153 Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability — Cisco AnyConnect Secure Mobility Client 8.4 -2020-02-19
CVE-2019-6858 Schneider Electric MSX Configurator 代码问题漏洞 — MSX Configurator (Software Version prior to V1.0.8.1) 7.8 -2020-01-22
CVE-2019-18575 Dell Command Configure 代码问题漏洞 — Dell Command Configure (DCC) 7.8 -2019-12-06
CVE-2019-3750 Dell Command Update 后置链接漏洞 — Dell Command Update (DCU) 5.5 -2019-12-03
CVE-2019-3749 Dell Command Update 后置链接漏洞 — Dell Command Update (DCU) 5.5 -2019-12-03
CVE-2019-16001 Cisco Webex Teams for Windows DLL Hijacking Vulnerability — Cisco Webex Teams 6.6 -2019-11-26
CVE-2019-3745 Dell Encryption Enterprise和Dell Endpoint Security Suite Enterprise 代码问题漏洞 — Dell Encryption Enterprise 7.3 -2019-10-07
CVE-2019-5631 Rapid7 InsightAppSec Local Privilege Escalation — InsightAppSec 7.8 -2019-08-19
CVE-2019-6825 Schneider Electric ProClima 代码问题漏洞 — ProClima all versions prior to version 8.0.0 7.8 -2019-07-15
CVE-2019-5629 Rapid7 Insight Agent 权限许可和访问控制问题漏洞 — Insight Agent 8.4 -2019-07-13
CVE-2019-6546 GE Communicator 代码问题漏洞 — GE Communicator 7.1 -2019-05-09
CVE-2019-6564 GE Communicator 代码问题漏洞 — GE Communicator 7.3 -2019-05-09
CVE-2019-1794 Cisco Directory Connector Search Order Hijacking Vulnerability — Cisco Directory Connector 3.4 -2019-04-18
CVE-2019-6534 Gemalto Sentinel UltraPro 代码问题漏洞 — Sentinel UltraPro 7.8 -2019-04-11
CVE-2015-1014 Schneider Electric OPC Factory Server 安全漏洞 — OFS v3.5 7.8 -2019-03-25
CVE-2018-15452 Cisco Advanced Malware Protection for Endpoints on Windows DLL Preloading Vulnerability — Cisco AMP for Endpoints 6.7 -2018-11-13
CVE-2018-14812 Fuji Electric Energy Savings Estimator 安全漏洞 — Energy Savings Estimator 7.8 -2018-10-24
CVE-2018-13806 Siemens TD Keypad Designer 安全漏洞 — SIEMENS TD Keypad Designer 7.8 -2018-09-12
CVE-2018-14797 Emerson Electric Deltav DCS 安全漏洞 — DeltaV DCS 7.8 -2018-08-23
CVE-2017-5175 Advantech WebAccess 安全漏洞 — Advantech WebAccess Versions 8.1 and prior. 7.8 -2018-05-09
CVE-2017-14010 iniNet SpiderControl MicroBrowser 安全漏洞 — MicroBrowser 7.8 -2018-04-26
CVE-2018-5457 Vyaire Medical CareFusion Upgrade Utility 安全漏洞 — Vyaire Medical CareFusion Upgrade Utility Vulnerability 7.0 -2018-02-06
CVE-2017-5170 Moxa SoftNVR-IA Live Viewer 安全漏洞 — Moxa SoftNVR-IA Live Viewer 7.2 -2018-01-18
CVE-2017-12313 Cisco Network Academy Packet Tracer software 安全漏洞 — Cisco Network Academy Packet Tracer 6.7 -2017-11-16
CVE-2017-12314 Cisco FindIT Network Discovery Utility 安全漏洞 — Cisco FindIT Discovery Utility 7.8 -2017-11-16
CVE-2017-14020 多款AutomationDirect产品安全漏洞 — CLICK Programming Software (Part Number C0-PGMSW) 7.8 -2017-11-13
CVE-2017-14029 Trihedral VTScada 安全漏洞 — Trihedral Engineering Limited VTScada 7.8 -2017-11-06
CVE-2017-14017 Progea Movicon 安全漏洞 — Progea Movicon SCADA/HMI 7.8 -2017-10-19
CVE-2017-5147 AzeoTech DAQFactory 安全漏洞 — AzeoTech DAQFactory 8.4 -2017-09-09
CVE-2017-11158 Synology Cloud Station Drive for Windows 安装程序漏洞 — Cloud Station Drive 7.8 -2017-08-31

Vulnerabilities classified as CWE-427 (对搜索路径元素未加控制) represent 545 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.