CWE-36: Absolute Path Traversal

ID CWE-36

Abstraction Base

Structure Simple

Status Draft

Number of CVEs 40

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Modes of Introduction

Phase	Note
Implementation

Applicable Platforms

Type	Class	Name	Prevalence
Language	Not Language-Specific

Relationships

View			Weakness
# ID	View	Status	# ID	Name	Abstraction	Structure	Status
CWE-1000	Research Concepts	Draft	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	Base	Simple	Stable
CWE-1305	CISQ Quality Measures (2020)	Incomplete	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	Base	Simple	Stable
CWE-1340	CISQ Data Protection Measures	Incomplete	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	Base	Simple	Stable

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPEC™) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org

# ID	Name	Weaknesses
CAPEC-597	Absolute Path Traversal	CWE-36

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date