Cwe 22

🧬 CWE Related 96
slug: cwe-22

Explanation

CWE-22は「ファイル名のパスをユーザー入力から組み立てるとき、`../` のような相対パス記号をきちんと無害化せず、本来アクセスできないファイルを読み書きされてしまう欠陥」のことです。 ファイルダウンロード機能・画像表示機能・テンプレート機能でよく見られます。 対策は「絶対パスへの正規化 + 許可されたディレクトリ内かのチェック」、または「ファイル名にIDのみを使い、パス記号を一切使わない設計」。
📌 Example
CVE-2024-57726 (SimpleHelp): zipファイル展開時のZip Slip攻撃で、サーバー上の任意の場所にファイル書き込みされる脆弱性。CISA KEV入り。

🔖 Related tags

🛡 Vulnerabilities tagged with this 1,035

ID Title
CVE-2021-3806 Path Traversal in path-traversal (CVE-2021-3806)
CVE-2021-27328 Path Traversal in path-traversal (CVE-2021-27328)
CVE-2021-45783 Path Traversal in path-traversal (CVE-2021-45783)
CVE-2022-29464 KEV [KEV] Path Traversal in Wso2 multiple-products (CVE-2022-29464)
CVE-2014-0780 KEV [KEV] Path Traversal in Indusoft web-studio (CVE-2014-0780)
CVE-2021-37293 Path Traversal in path-traversal (CVE-2021-37293)
CVE-2019-7483 KEV [KEV] Path Traversal in Sonicwall sma100 (CVE-2019-7483)
CVE-2020-1631 KEV [KEV] Path Traversal in Juniper junos-os (CVE-2020-1631)
CVE-2016-0752 KEV [KEV] Path Traversal in rails (CVE-2016-0752)
CVE-2015-4068 KEV [KEV] Path Traversal in Arcserve unified-data-protection-udp (CVE-2015-4068)
CVE-2015-3035 KEV [KEV] Path Traversal in Tp-link multiple-archer-devices (CVE-2015-3035)
CVE-2015-0666 KEV [KEV] Path Traversal in Cisco prime-data-center-network-manager-dcnm (CVE-2015-0666)
CVE-2014-0130 KEV [KEV] Path Traversal in rails (CVE-2014-0130)
CVE-2010-2861 KEV [KEV] Path Traversal in Adobe coldfusion (CVE-2010-2861)
CVE-2022-23347 Path Traversal in path-traversal (CVE-2022-23347)
CVE-2022-22914 Path Traversal in path-traversal (CVE-2022-22914)
CVE-2020-14864 KEV [KEV] Path Traversal in Oracle intelligence-enterprise-edition (CVE-2020-14864)
CVE-2021-44674 Path Traversal in opmantek (CVE-2021-44674)
CVE-2021-45418 Path Traversal in path-traversal (CVE-2021-45418)
CVE-2021-41449 Path Traversal in path-traversal (CVE-2021-41449)
CVE-2018-14847 KEV [KEV] Path Traversal in Mikrotik routeros (CVE-2018-14847)
CVE-2021-42013 KEV [KEV] Path Traversal in Apache http-server (CVE-2021-42013)
CVE-2021-41773 KEV [KEV] Path Traversal in Apache http-server (CVE-2021-41773)
CVE-2021-20090 KEV [KEV] Path Traversal in Arcadyan buffalo-firmware (CVE-2021-20090)
CVE-2019-3398 KEV [KEV] Path Traversal in Atlassian confluence-server-and-data-center (CVE-2019-3398)
CVE-2019-3396 KEV [KEV] Path Traversal in Atlassian confluence-server-and-data-server (CVE-2019-3396)
CVE-2019-19781 KEV [KEV] Path Traversal in Citrix application-delivery-controller-adc (CVE-2019-19781)
CVE-2020-5902 KEV [KEV] Path Traversal in F5 big-ip (CVE-2020-5902)
CVE-2018-13379 KEV [KEV] Path Traversal in Fortinet fortios (CVE-2018-13379)
CVE-2020-4430 KEV [KEV] Path Traversal in Ibm data-risk-manager (CVE-2020-4430)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →