Check CVE Id
Check CWE Id
Linux systemd Symlink Dereference Via chown_one()
MS13-097 Registry Symlink IE Sandbox Escape
systemd create or overwrite arbitrary files
Solaris 10 Patch Cluster Symlink Attack
Larry W. Cashdollar
Medium severity flaw in QNX Neutrino RTOS
Linux kernel: ZERO_SIZE_PTR dereference for long symlinks in Be FS
FreeBSD crontab information leakage
The GNU C library dynamic linker expands $ORIGIN in setuid library search path
emesene preditable 1.6.1 temporary filename
Emilio Pozuelo Monfort
Mathematica on Linux /tmp/MathLink vulnerability
Solaris Update manager and Sun Patch Cluster - Symlink attack
Deliver 2.1.14 Multiple vulnerabilities
fcrontab 3.0.4 Information Disclosure Vulnerability
Oscailt 3.3 CMS Local File Inclusion
VideoCache 1.9.2 vccleaner root vulnerability
MySQL - 5.1.41 Multiple Vulnerabalities
Enomaly ECP/Enomalism: Insecure temporary file creation vulnerabilities
ViArt Shopping Cart v3.5 Multiple Remote Vulnerabilities
verlihub <= 0.9.8d-RC2 Remote Command Execution Vulnerability
/bin/login gives root to group utmp
python-2.3.4-5 Symbolic link attack possibility
Jan iankko Lieskovsky
CVEMAP Search Results
libqb before 1.0.5 allows local users to overwrite arbitrary files via a symlink attack, because it uses predictable filenames (under /dev/shm and /tmp) without O_EXCL.
In some configurations an attacker can inject a new executable path into the extensions.load file for osquery and hard link a parent folder of a malicious binary to a folder with known 'safe' permissions. Under those circumstances osquery will load said malicious executable with SYSTEM permissions. The solution is to migrate installations to the 'Program Files' directory on Windows which restricts unprivileged write access. This issue affects osquery prior to v3.4.0.
Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, EX4100, DL2100, DL4100, PR2100 and PR4100 before firmware 2.31.183 are affected by a code execution (as root, starting from a low-privilege user session) vulnerability. The cgi-bin/webfile_mgr.cgi file allows arbitrary file write by abusing symlinks. Specifically, this occurs by uploading a tar archive that contains a symbolic link, then uploading another archive that writes a file to the link using the "cgi_untar" command. Other commands might also be susceptible. Code can be executed because the "name" parameter passed to the cgi_unzip command is not sanitized.
A vulnerability was found in node-tar before version 4.4.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.
snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass."
snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory.
A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
In yast2-multipath before version 4.1.1 a static temporary filename allows local attackers to overwrite files on systems without symlink protection
In supportutils, before version 3.1-5.7.1 and if pacemaker is installed on the system, an unprivileged user could have overwritten arbitrary files in the directory that is used by supportutils to collect the log files.
Back to Top