Check CVE Id
Check CWE Id
Linux systemd Symlink Dereference Via chown_one()
MS13-097 Registry Symlink IE Sandbox Escape
systemd create or overwrite arbitrary files
Solaris 10 Patch Cluster Symlink Attack
Larry W. Cashdollar
Medium severity flaw in QNX Neutrino RTOS
Linux kernel: ZERO_SIZE_PTR dereference for long symlinks in Be FS
FreeBSD crontab information leakage
The GNU C library dynamic linker expands $ORIGIN in setuid library search path
emesene preditable 1.6.1 temporary filename
Emilio Pozuelo Monfort
Mathematica on Linux /tmp/MathLink vulnerability
Solaris Update manager and Sun Patch Cluster - Symlink attack
Deliver 2.1.14 Multiple vulnerabilities
fcrontab 3.0.4 Information Disclosure Vulnerability
Oscailt 3.3 CMS Local File Inclusion
VideoCache 1.9.2 vccleaner root vulnerability
MySQL - 5.1.41 Multiple Vulnerabalities
Enomaly ECP/Enomalism: Insecure temporary file creation vulnerabilities
ViArt Shopping Cart v3.5 Multiple Remote Vulnerabilities
verlihub <= 0.9.8d-RC2 Remote Command Execution Vulnerability
/bin/login gives root to group utmp
python-2.3.4-5 Symbolic link attack possibility
Jan iankko Lieskovsky
CVEMAP Search Results
A denial of service vulnerability exists when Windows improperly handles hard links, aka 'Microsoft Windows Denial of Service Vulnerability'.
A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker with physical access to an affected device to execute arbitrary code on the underlying operating system (OS) with root privileges. The vulnerability is due to insufficient file location validation. An attacker could exploit this vulnerability by placing code in a specific format on a USB device and inserting it into an affected Cisco device. A successful exploit could allow the attacker to execute the code with root privileges on the underlying OS of the affected device.
An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive.
In Avast Antivirus before 19.4, a local administrator can trick the product into renaming arbitrary files by replacing the Logs\Update.log file with a symlink. The next time the product attempts to write to the log file, the target of the symlink is renamed. This defect can be exploited to rename a critical product file (e.g., AvastSvc.exe), causing the product to fail to start on the next system restart.
In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files. The openvpn_launcher binary is setuid root. This binary supports the --log option, which accepts a path as an argument. This parameter is not sanitized, which allows a local unprivileged user to overwrite arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files. When the client initiates a connection, the XML /tmp/pia-watcher.plist file is created. If the file exists, it will be truncated and the contents completely overwritten. This file is removed on disconnect. An unprivileged user can create a hard or soft link to arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
deepin-clone before 1.1.3 uses a fixed path /tmp/partclone.log in the Helper::getPartitionSizeInfo() function to write a log file as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled.
deepin-clone before 1.1.3 uses a fixed path /tmp/repo.iso in the BootDoctor::fix() function to download an ISO file, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. By winning a race condition to replace the /tmp/repo.iso symlink by an attacker controlled ISO file, further privilege escalation may be possible.
In GUI mode, deepin-clone before 1.1.3 creates a log file at the fixed path /tmp/.deepin-clone.log as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled.
Back to Top