Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) — Vulnerability Class 426

426 vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)). AI Chinese analysis included.

CWE-59 represents a critical input validation weakness where software fails to properly resolve symbolic links or shortcuts before accessing a file. Attackers typically exploit this vulnerability by crafting malicious links that point to sensitive system files or directories outside the intended scope. When the application resolves these links without adequate checks, it inadvertently grants access to unauthorized resources, potentially leading to data leakage, privilege escalation, or remote code execution. To mitigate this risk, developers must implement rigorous link resolution controls, ensuring that all file paths are canonicalized and verified against a strict allowlist before any I/O operations occur. Utilizing secure API functions that explicitly handle link following, combined with strict permission checks on the final resolved path, effectively prevents attackers from leveraging symlinks to bypass security boundaries and access unintended system components.

MITRE CWE Description
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Common Consequences (2)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
OtherExecute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
Mitigations (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE IDTitleCVSSSeverityPublished
CVE-2024-7235 AVG AntiVirus Free Link Following Denial-of-Service Vulnerability — AntiVirus Free 5.5 -2024-11-22
CVE-2024-7233 Avast Free Antivirus AvastSvc Link Following Local Privilege Escalation Vulnerability — Free Antivirus 7.8 -2024-11-22
CVE-2024-7232 Avast Free Antivirus AvastSvc Link Following Local Privilege Escalation Vulnerability — Free Antivirus 7.8 -2024-11-22
CVE-2024-7227 Avast Free Antivirus AvastSvc Link Following Local Privilege Escalation Vulnerability — Free Antivirus 7.8 -2024-11-22
CVE-2024-7229 Avast Cleanup Premium Link Following Local Privilege Escalation Vulnerability — Cleanup Premium 7.8 -2024-11-22
CVE-2024-7231 Avast Cleanup Premium Link Following Local Privilege Escalation Vulnerability — Cleanup Premium 7.8 -2024-11-22
CVE-2024-7230 Avast Cleanup Premium Link Following Local Privilege Escalation Vulnerability — Cleanup Premium 7.8 -2024-11-22
CVE-2024-7228 Avast Free Antivirus Link Following Denial-of-Service Vulnerability — Free Antivirus 5.5 -2024-11-22
CVE-2024-9766 Wacom Center WTabletServicePro Link Following Local Privilege Escalation Vulnerability — Center 7.8 -2024-11-22
CVE-2024-6260 Malwarebytes Antimalware Link Following Local Privilege Escalation Vulnerability — Anti-Malware 7.8 -2024-11-22
CVE-2024-6233 Check Point ZoneAlarm Extreme Security Link Following Local Privilege Escalation Vulnerability — ZoneAlarm Extreme Security 7.8 -2024-11-22
CVE-2024-30377 G DATA Total Security Scan Server Link Following Local Privilege Escalation Vulnerability — Total Security 7.8 -2024-11-22
CVE-2024-1868 G DATA Total Security Link Following Local Privilege Escalation Vulnerability — Total Security 7.8 -2024-11-22
CVE-2024-1867 G DATA Total Security Link Following Local Privilege Escalation Vulnerability — Total Security 7.8 -2024-11-22
CVE-2024-48862 QuLog Center — QuLog Center 9.1 -2024-11-22
CVE-2024-52522 Rclone Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata — rclone 8.2 -2024-11-15
CVE-2021-1491 Cisco SD-WAN vManage Software Information Disclosure Vulnerability — Cisco Catalyst SD-WAN Manager 6.5 -2024-11-15
CVE-2023-20004 Cisco TelePresence Collaboration Endpoint and RoomOS Software Arbitrary File Write Vulnerability — Cisco RoomOS Software 4.4 Medium2024-11-15
CVE-2024-51721 Vulnerabilities in SecuSUITE Server Components Impact SecuSUITE — SecuSUITE 7.3 High2024-11-12
CVE-2024-49051 Microsoft PC Manager Elevation of Privilege Vulnerability — Microsoft PC Manager 7.8 High2024-11-12
CVE-2024-10007 Pre-Receive Hook Path Collision Vulnerability in GitHub Enterprise Server Allowing Privilege Escalation — Enterprise Server 9.1AICriticalAI2024-11-07
CVE-2024-6868 Arbitrary File Write in mudler/LocalAI — mudler/localai 8.8AIHighAI2024-10-29
CVE-2024-45316 SonicWALL Connect Tunnel 后置链接漏洞 — Connect Tunnel 7.8AIHighAI2024-10-11
CVE-2024-45315 SonicWALL Connect Tunnel 后置链接漏洞 — Connect Tunnel 7.1AIHighAI2024-10-11
CVE-2024-43603 Visual Studio Collector Service Denial of Service Vulnerability — Microsoft Visual Studio 2022 version 17.11 5.5 Medium2024-10-08
CVE-2024-43551 Windows Storage Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2024-10-08
CVE-2024-43501 Windows Common Log File System Driver Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2024-10-08
CVE-2024-38097 Azure Monitor Agent Elevation of Privilege Vulnerability — Azure Monitor 7.1 High2024-10-08
CVE-2024-27458 HP Hotkey Support – Escalation of Privilege — HP Hotkey Support 8.8 High2024-10-07
CVE-2024-9341 Podman: buildah: cri-o: fips crypto-policy directory mounting issue in containers/common go library 5.4 Medium2024-10-01

Vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) represent 426 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.