Check CVE Id
Check CWE Id
Linux systemd Symlink Dereference Via chown_one()
MS13-097 Registry Symlink IE Sandbox Escape
systemd create or overwrite arbitrary files
Solaris 10 Patch Cluster Symlink Attack
Larry W. Cashdollar
Medium severity flaw in QNX Neutrino RTOS
Linux kernel: ZERO_SIZE_PTR dereference for long symlinks in Be FS
FreeBSD crontab information leakage
The GNU C library dynamic linker expands $ORIGIN in setuid library search path
emesene preditable 1.6.1 temporary filename
Emilio Pozuelo Monfort
Mathematica on Linux /tmp/MathLink vulnerability
Solaris Update manager and Sun Patch Cluster - Symlink attack
Deliver 2.1.14 Multiple vulnerabilities
fcrontab 3.0.4 Information Disclosure Vulnerability
Oscailt 3.3 CMS Local File Inclusion
VideoCache 1.9.2 vccleaner root vulnerability
MySQL - 5.1.41 Multiple Vulnerabalities
Enomaly ECP/Enomalism: Insecure temporary file creation vulnerabilities
ViArt Shopping Cart v3.5 Multiple Remote Vulnerabilities
verlihub <= 0.9.8d-RC2 Remote Command Execution Vulnerability
/bin/login gives root to group utmp
python-2.3.4-5 Symbolic link attack possibility
Jan iankko Lieskovsky
CVEMAP Search Results
In Avast Antivirus before 19.4, a local administrator can trick the product into renaming arbitrary files by replacing the Logs\Update.log file with a symlink. The next time the product attempts to write to the log file, the target of the symlink is renamed. This defect can be exploited to rename a critical product file (e.g., AvastSvc.exe), causing the product to fail to start on the next system restart.
In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files. The openvpn_launcher binary is setuid root. This binary supports the --log option, which accepts a path as an argument. This parameter is not sanitized, which allows a local unprivileged user to overwrite arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files. When the client initiates a connection, the XML /tmp/pia-watcher.plist file is created. If the file exists, it will be truncated and the contents completely overwritten. This file is removed on disconnect. An unprivileged user can create a hard or soft link to arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
In GUI mode, deepin-clone before 1.1.3 creates a log file at the fixed path /tmp/.deepin-clone.log as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled.
deepin-clone before 1.1.3 uses a predictable path /tmp/.deepin-clone/mount/<block-dev-basename> in the Helper::temporaryMountDevice() function to temporarily mount a file system as root. An unprivileged user can prepare a symlink at this location to have the file system mounted in an arbitrary location. By winning a race condition, the attacker can also enter the mount point, thereby preventing a subsequent unmount of the file system.
deepin-clone before 1.1.3 uses a fixed path /tmp/repo.iso in the BootDoctor::fix() function to download an ISO file, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. By winning a race condition to replace the /tmp/repo.iso symlink by an attacker controlled ISO file, further privilege escalation may be possible.
deepin-clone before 1.1.3 uses a fixed path /tmp/partclone.log in the Helper::getPartitionSizeInfo() function to write a log file as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled.
libqb before 1.0.5 allows local users to overwrite arbitrary files via a symlink attack, because it uses predictable filenames (under /dev/shm and /tmp) without O_EXCL.
In some configurations an attacker can inject a new executable path into the extensions.load file for osquery and hard link a parent folder of a malicious binary to a folder with known 'safe' permissions. Under those circumstances osquery will load said malicious executable with SYSTEM permissions. The solution is to migrate installations to the 'Program Files' directory on Windows which restricts unprivileged write access. This issue affects osquery prior to v3.4.0.
Back to Top