Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) — Vulnerability Class 426

426 vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)). AI Chinese analysis included.

CWE-59 represents a critical input validation weakness where software fails to properly resolve symbolic links or shortcuts before accessing a file. Attackers typically exploit this vulnerability by crafting malicious links that point to sensitive system files or directories outside the intended scope. When the application resolves these links without adequate checks, it inadvertently grants access to unauthorized resources, potentially leading to data leakage, privilege escalation, or remote code execution. To mitigate this risk, developers must implement rigorous link resolution controls, ensuring that all file paths are canonicalized and verified against a strict allowlist before any I/O operations occur. Utilizing secure API functions that explicitly handle link following, combined with strict permission checks on the final resolved path, effectively prevents attackers from leveraging symlinks to bypass security boundaries and access unintended system components.

MITRE CWE Description
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Common Consequences (2)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
OtherExecute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
Mitigations (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE IDTitleCVSSSeverityPublished
CVE-2024-26238 Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability — Windows 10 Version 21H2 7.8 High2024-05-14
CVE-2024-30018 Windows Kernel Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2024-05-14
CVE-2024-3037 Arbitrary File Deletion in PaperCut NG/MF Web Print — PaperCut NG, PaperCut MF 7.8 High2024-05-14
CVE-2023-50226 Parallels Desktop Updater Link Following Local Privilege Escalation Vulnerability — Desktop 7.8 -2024-05-03
CVE-2023-50197 Intel Driver & Support Assistant Link Following Local Privilege Escalation Vulnerability — Driver & Support Assistant 7.8 -2024-05-03
CVE-2023-42126 G DATA Total Security GDBackupSvc Service Link Following Local Privilege Escalation Vulnerability — Total Security 7.8 -2024-05-03
CVE-2023-42099 Intel Driver & Support Assistant Link Following Local Privilege Escalation Vulnerability — Driver & Support Assistant 7.8 -2024-05-03
CVE-2023-34283 NETGEAR RAX30 USB Share Link Following Information Disclosure Vulnerability — RAX30 4.6 -2024-05-03
CVE-2023-32179 VIPRE Antivirus Plus FPQuarTransfer Link Following Local Privilege Escalation Vulnerability — Antivirus Plus 7.8 -2024-05-03
CVE-2023-32178 VIPRE Antivirus Plus TelFileTransfer Link Following Local Privilege Escalation Vulnerability — Antivirus Plus 7.8 -2024-05-03
CVE-2023-32175 VIPRE Antivirus Plus Link Following Local Privilege Escalation Vulnerability — Antivirus Plus 7.8 -2024-05-03
CVE-2023-27347 G DATA Total Security Link Following Local Privilege Escalation Vulnerability — Total Security 7.8 -2024-05-03
CVE-2024-23459 Multiple Arbitrary Creates/Overwrites by link following — Client Connector 7.1 High2024-05-02
CVE-2023-41971 Windows ZCC Upgrade DoS And Privilege Escalation Through RPC Control — Client Connector 5.3 Medium2024-05-02
CVE-2024-29989 Azure Monitor Agent Elevation of Privilege Vulnerability — Azure Monitor 8.4 High2024-04-09
CVE-2024-28907 Microsoft Brokering File System Elevation of Privilege Vulnerability — Windows Server 2022, 23H2 Edition (Server Core installation) 7.8 High2024-04-09
CVE-2024-26216 Windows File Server Resource Management Service Elevation of Privilege Vulnerability — Windows Server 2019 7.3 High2024-04-09
CVE-2024-21447 Windows Authentication Elevation of Privilege Vulnerability — Windows Server 2022 7.8 High2024-04-09
CVE-2024-26158 Microsoft Install Service Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2024-04-09
CVE-2024-29188 Malicious directory junction can cause WiX RemoveFoldersEx to possibly delete elevated files — issues 7.8 High2024-03-24
CVE-2024-28916 Xbox Gaming Services Elevation of Privilege Vulnerability — Xbox Gaming Services 8.8 High2024-03-20
CVE-2024-1753 Buildah: full container escape at build time 8.6 High2024-03-18
CVE-2024-21432 Windows Update Stack Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.0 High2024-03-12
CVE-2024-26199 Microsoft Office Elevation of Privilege Vulnerability — Microsoft 365 Apps for Enterprise 7.8 High2024-03-12
CVE-2024-0068 HYPR 安全漏洞 — Workforce Access 5.5 Medium2024-02-29
CVE-2024-21397 Microsoft Azure File Sync Elevation of Privilege Vulnerability — Azure File Sync 5.3 Medium2024-02-13
CVE-2024-21329 Azure Connected Machine Agent Elevation of Privilege Vulnerability — Azure Connected Machine Agent 7.3 High2024-02-13
CVE-2024-1329 Nomad Vulnerable to Arbitrary Write Through Symlink Attack — Nomad 7.7 High2024-02-08
CVE-2023-7216 Cpio: extraction allows symlinks which enables remote command execution — Red Hat Enterprise Linux 6 5.3 Medium2024-02-05
CVE-2023-6336 HYPR 后置链接漏洞 — Workforce Access 7.2 High2024-01-16

Vulnerabilities classified as CWE-59 (在文件访问前对链接解析不恰当(链接跟随)) represent 426 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.