CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

low-risk

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Abstraction: Base

Common Consequences

Integrity → Execute Unauthorized Code or Commands

Integrity → Modify Files or Directories

Confidentiality → Read Files or Directories

Availability → DoS: Crash, Exit, or Restart

Detection Methods

Automated Static Analysis

Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability.

Manual Static Analysis

Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints.

Automated Static Analysis - Binary or Bytecode

According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary Weakness Analysis - including disassembler + source code weakness analysis

Manual Static Analysis - Binary or Bytecode

According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Automated Results Interpretation

According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Web Application Scanner Web Services Scanner Database Scanners

Dynamic Analysis with Manual Results Interpretation

According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Fuzz Tester Framework-based Fuzzer

Manual Static Analysis - Source Code

According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source

Automated Static Analysis - Source Code

According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer

Architecture or Design Review

According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

Real-World Examples (10)

CVE	CVSS	EPSS	KEV
CVE-2018-13379	9.1	94.5%	Y
CVE-2018-13379	9.1	94.5%	Y
CVE-2019-3396	9.8	94.5%	Y
CVE-2019-3396	9.8	94.5%	Y
CVE-2024-23897	9.8	94.5%	Y
CVE-2019-11510	10.0	94.5%	Y
CVE-2019-11510	10.0	94.5%	Y
CVE-2021-22005	9.8	94.5%	Y
CVE-2021-22005	9.8	94.5%	Y
CVE-2020-3452	7.5	94.5%	Y

/ 100

low-risk

Active Threat 23/50 · Moderate

Exploit Availability 3/50 · Minimal