Description

The software uses external input to construct a pathname that is intended to identify a file or directory but it does not properly neutralize or validate special elements within the pathname.

Impact

Make the software resolve the pathname to a location that is outside of the intended target, for instance: /etc/passwd.

Recommendation

- Prevent the attacker from constructing the pathname. - Validate/Neutralize the input for special elements like: .., ~, /.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⏱️ 45 minutes.

Requirements

Fixes