Cwe 22

Explanation

CWE-22は「ファイル名のパスをユーザー入力から組み立てるとき、`../` のような相対パス記号をきちんと無害化せず、本来アクセスできないファイルを読み書きされてしまう欠陥」のことです。ファイルダウンロード機能・画像表示機能・テンプレート機能でよく見られます。対策は「絶対パスへの正規化 + 許可されたディレクトリ内かのチェック」、または「ファイル名にIDのみを使い、パス記号を一切使わない設計」。

📌 Example

CVE-2024-57726 (SimpleHelp): zipファイル展開時のZip Slip攻撃で、サーバー上の任意の場所にファイル書き込みされる脆弱性。CISA KEV入り。

🛡 Vulnerabilities tagged with this 100

ID	Title	Severity	Detected
CVE-2022-26500 KEV	[KEV] Path Traversal in Veeam backup-replication (CVE-2022-26500)	High	3 years ago
CVE-2022-41352 KEV	[KEV] Path Traversal in Synacor zimbra-collaboration-suite-zcs (CVE-2022-41352)	High	3 years ago
CVE-2022-26352 KEV	[KEV] Path Traversal in dotcms (CVE-2022-26352)	High	3 years ago
CVE-2020-36193 KEV	[KEV] Path Traversal in Pear archive-tar (CVE-2020-36193)	High	3 years ago
CVE-2022-27925 KEV	[KEV] Path Traversal in Synacor zimbra-collaboration-suite-zcs (CVE-2022-27925)	High	3 years ago
CVE-2022-30333 KEV	[KEV] Path Traversal in Rarlab unrar (CVE-2022-30333)	High	3 years ago
CVE-2019-7194 KEV	[KEV] Path Traversal in Qnap photo-station (CVE-2019-7194)	High	3 years ago
CVE-2019-7195 KEV	[KEV] Path Traversal in Qnap photo-station (CVE-2019-7195)	High	3 years ago
CVE-2015-0016 KEV	[KEV] Path Traversal in Microsoft windows (CVE-2015-0016)	High	3 years ago
CVE-2022-29464 KEV	[KEV] Path Traversal in Wso2 multiple-products (CVE-2022-29464)	High	4 years ago
CVE-2014-0780 KEV	[KEV] Path Traversal in Indusoft web-studio (CVE-2014-0780)	High	4 years ago
CVE-2019-7483 KEV	[KEV] Path Traversal in Sonicwall sma100 (CVE-2019-7483)	High	4 years ago
CVE-2010-2861 KEV	[KEV] Path Traversal in Adobe coldfusion (CVE-2010-2861)	High	4 years ago
CVE-2020-1631 KEV	[KEV] Path Traversal in Juniper junos-os (CVE-2020-1631)	High	4 years ago
CVE-2016-0752 KEV	[KEV] Path Traversal in rails (CVE-2016-0752)	High	4 years ago
CVE-2015-4068 KEV	[KEV] Path Traversal in Arcserve unified-data-protection-udp (CVE-2015-4068)	High	4 years ago
CVE-2015-3035 KEV	[KEV] Path Traversal in Tp-link multiple-archer-devices (CVE-2015-3035)	High	4 years ago
CVE-2015-0666 KEV	[KEV] Path Traversal in Cisco prime-data-center-network-manager-dcnm (CVE-2015-0666)	High	4 years ago
CVE-2014-0130 KEV	[KEV] Path Traversal in rails (CVE-2014-0130)	High	4 years ago
CVE-2020-14864 KEV	[KEV] Path Traversal in Oracle intelligence-enterprise-edition (CVE-2020-14864)	High	4 years ago
CVE-2018-14847 KEV	[KEV] Path Traversal in Mikrotik routeros (CVE-2018-14847)	High	4 years ago
CVE-2019-19781 KEV	[KEV] Path Traversal in Citrix application-delivery-controller-adc (CVE-2019-19781)	High	4 years ago
CVE-2019-3396 KEV	[KEV] Path Traversal in Atlassian confluence-server-and-data-server (CVE-2019-3396)	High	4 years ago
CVE-2020-5902 KEV	[KEV] Path Traversal in F5 big-ip (CVE-2020-5902)	High	4 years ago
CVE-2018-13379 KEV	[KEV] Path Traversal in Fortinet fortios (CVE-2018-13379)	High	4 years ago
CVE-2020-4430 KEV	[KEV] Path Traversal in Ibm data-risk-manager (CVE-2020-4430)	High	4 years ago
CVE-2021-40444 KEV	[KEV] Path Traversal in Microsoft mshtml (CVE-2021-40444)	High	4 years ago
CVE-2019-11510 KEV	[KEV] Path Traversal in Ivanti pulse-connect-secure (CVE-2019-11510)	High	4 years ago
CVE-2020-11652 KEV	[KEV] Path Traversal in Saltstack salt (CVE-2020-11652)	High	4 years ago
CVE-2018-2380 KEV	[KEV] Path Traversal in Sap customer-relationship-management-crm (CVE-2018-2380)	High	4 years ago

Title