Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) — Vulnerability Class 426

426 vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)). AI Chinese analysis included.

CWE-59 represents a critical input validation weakness where software fails to properly resolve symbolic links or shortcuts before accessing a file. Attackers typically exploit this vulnerability by crafting malicious links that point to sensitive system files or directories outside the intended scope. When the application resolves these links without adequate checks, it inadvertently grants access to unauthorized resources, potentially leading to data leakage, privilege escalation, or remote code execution. To mitigate this risk, developers must implement rigorous link resolution controls, ensuring that all file paths are canonicalized and verified against a strict allowlist before any I/O operations occur. Utilizing secure API functions that explicitly handle link following, combined with strict permission checks on the final resolved path, effectively prevents attackers from leveraging symlinks to bypass security boundaries and access unintended system components.

MITRE CWE Description
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Common Consequences (2)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
OtherExecute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
Mitigations (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE IDTitleCVSSSeverityPublished
CVE-2023-32053 Windows Installer Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-07-11
CVE-2023-36874 Windows Error Reporting Service Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-07-11
CVE-2023-35353 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-07-11
CVE-2023-35347 Microsoft Install Service Elevation of Privilege Vulnerability — Windows Server 2022 7.1 High2023-07-11
CVE-2023-35342 Windows Image Acquisition Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-07-11
CVE-2023-35320 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-07-11
CVE-2023-32050 Windows Installer Elevation of Privilege Vulnerability — Windows Server 2008 Service Pack 2 7.0 High2023-07-11
CVE-2023-33148 Microsoft Office Elevation of Privilege Vulnerability — Microsoft Office 2013 Click-to-Run (C2R) 7.8 High2023-07-11
CVE-2023-32012 Windows Container Manager Service Elevation of Privilege Vulnerability — Windows 11 version 21H2 7.8 High2023-06-13
CVE-2023-29351 Windows Group Policy Elevation of Privilege Vulnerability — Windows 10 Version 1809 8.1 High2023-06-13
CVE-2023-24904 Windows Installer Elevation of Privilege Vulnerability — Windows Server 2008 Service Pack 2 7.1 High2023-05-09
CVE-2023-29343 SysInternals Sysmon for Windows Elevation of Privilege Vulnerability — Windows Sysmon 7.8 High2023-05-09
CVE-2023-28141 NTFS Junction — Cloud Agent 6.7 Medium2023-04-18
CVE-2023-28972 Junos OS: NFX Series: 'set system ports console insecure' allows root password recovery — Junos OS 6.8 Medium2023-04-17
CVE-2023-28222 Windows Kernel Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.1 High2023-04-11
CVE-2023-0652 Local Privilege Escalation in Cloudflare WARP Installer (Windows) — WARP 7.0 High2023-04-06
CVE-2023-1412 Local Privilege Escalation Vulnerability in WARP's MSI Installer — WARP 7.0 High2023-04-05
CVE-2023-25940 Dell PowerScale OneFS 后置链接漏洞 — PowerScale OneFS 6.7 Medium2023-04-04
CVE-2023-1314 Local Privilege Escalation Vulnerability in cloudflared's Installer — cloudflared 7.5 High2023-03-21
CVE-2023-24930 Microsoft OneDrive for MacOS Elevation of Privilege Vulnerability — OneDrive for MacOS Installer 7.8 High2023-03-14
CVE-2023-21567 Visual Studio Denial of Service Vulnerability — Microsoft Visual Studio 2022 version 17.2 5.6 Medium2023-02-14
CVE-2023-22490 Git vulnerable to local clone-based data exfiltration with non-local transports — git 5.5 Medium2023-02-14
CVE-2023-21722 .NET Framework Denial of Service Vulnerability — Microsoft .NET Framework 4.8 5.0 Medium2023-02-14
CVE-2023-25168 Symbolic Link (Symlink) Following allowing the deletion of files and directories on the host system in wings — wings 9.6 Critical2023-02-08
CVE-2023-25152 Symbolic Link (Symlink) Following in github.com/pterodactyl/wings — wings 8.4 High2023-02-08
CVE-2022-42292 NVIDIA GeForce Experience 后置链接漏洞 — GeForce Experience 5.0 Medium2023-02-07
CVE-2023-20008 Cisco TelePresence Collaboration Endpoint Software 安全漏洞 — Cisco RoomOS Software 4.4 Medium2023-01-19
CVE-2022-45440 Zyxel AX7501-B0 后置链接漏洞 — AX7501-B0 firmware 4.4 Medium2023-01-17
CVE-2023-21760 Windows Print Spooler Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.1 High2023-01-10
CVE-2023-21725 Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability — Windows Malicious Software Removal Tool 6.3 Medium2023-01-10

Vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) represent 426 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.