Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) — Vulnerability Class 426

426 vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)). AI Chinese analysis included.

CWE-59 represents a critical input validation weakness where software fails to properly resolve symbolic links or shortcuts before accessing a file. Attackers typically exploit this vulnerability by crafting malicious links that point to sensitive system files or directories outside the intended scope. When the application resolves these links without adequate checks, it inadvertently grants access to unauthorized resources, potentially leading to data leakage, privilege escalation, or remote code execution. To mitigate this risk, developers must implement rigorous link resolution controls, ensuring that all file paths are canonicalized and verified against a strict allowlist before any I/O operations occur. Utilizing secure API functions that explicitly handle link following, combined with strict permission checks on the final resolved path, effectively prevents attackers from leveraging symlinks to bypass security boundaries and access unintended system components.

MITRE CWE Description
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Common Consequences (2)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
OtherExecute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
Mitigations (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE IDTitleCVSSSeverityPublished
CVE-2023-6335 HYPR 后置链接漏洞 — Workforce Access 6.4 Medium2024-01-16
CVE-2023-42137 PAX Technology Android based POS 后置链接漏洞 — POS terminals 7.8 High2024-01-15
CVE-2023-31003 IBM Security Access Manager Container privilege escalation — Security Verify Access Appliance 8.4 High2024-01-11
CVE-2024-20656 Visual Studio Elevation of Privilege Vulnerability — Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) 7.8 High2024-01-09
CVE-2024-0206 Trellix Anti-Malware Engine 后置链接漏洞 — Anti-Malware Engine 7.1 High2024-01-09
CVE-2023-35624 Azure Connected Machine Agent Elevation of Privilege Vulnerability — Azure Connected Machine Agent 7.3 High2023-12-12
CVE-2023-35633 Windows Kernel Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.8 High2023-12-12
CVE-2023-36391 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability — Windows 11 version 22H3 7.8 High2023-12-12
CVE-2023-43590 Zoom Rooms 后置链接漏洞 — Zoom Rooms for macOS 7.8 High2023-11-14
CVE-2023-36047 Windows Authentication Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-11-14
CVE-2023-36046 Windows Authentication Denial of Service Vulnerability — Windows 11 version 21H2 7.1 High2023-11-14
CVE-2023-36394 Windows Search Service Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.0 High2023-11-14
CVE-2023-36399 Windows Storage Elevation of Privilege Vulnerability — Windows Server 2022, 23H2 Edition (Server Core installation) 7.1 High2023-11-14
CVE-2023-36705 Windows Installer Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-11-14
CVE-2023-6069 Improper Link Resolution Before File Access in froxlor/froxlor — froxlor/froxlor 9.9 Critical2023-11-10
CVE-2023-28797 LPE using arbitrary file delete with Symlinks — Client Connector 6.3 Medium2023-10-23
CVE-2023-36568 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability — Microsoft Office 2019 7.0 High2023-10-10
CVE-2023-36711 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-10-10
CVE-2023-36723 Windows Container Manager Service Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-10-10
CVE-2023-36737 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability — Azure Network Watcher VM Extension 7.8 High2023-10-10
CVE-2023-45159 1E Client installer can perform arbitrary file deletion on protected files — 1E Client 8.4 High2023-10-05
CVE-2023-32182 SUSE Linux Enterprise Desktop 后置链接漏洞 — SUSE Linux Enterprise Desktop 15 SP5 5.9 Medium2023-09-19
CVE-2023-36758 Visual Studio Elevation of Privilege Vulnerability — Microsoft Visual Studio 2022 version 17.7 7.8 High2023-09-12
CVE-2023-4759 Improper handling of case insensitive filesystems in Eclipse JGit allows arbitrary file write — Eclipse JGit 8.8 High2023-09-12
CVE-2023-32163 Wacom Drivers for Windows Link Following Local Privilege Escalation Vulnerability — Drivers for Windows 7.8 -2023-09-06
CVE-2023-38175 Microsoft Windows Defender Elevation of Privilege Vulnerability — Windows Defender Antimalware Platform 7.8 High2023-08-08
CVE-2023-35379 Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability — Windows Server 2008 R2 Service Pack 1 7.8 High2023-08-08
CVE-2023-36903 Windows System Assessment Tool Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-08-08
CVE-2023-36876 Reliability Analysis Metrics Calculation (RacTask) Elevation of Privilege Vulnerability — Windows Server 2008 R2 Service Pack 1 7.1 High2023-08-08
CVE-2023-32056 Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-07-11

Vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) represent 426 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.