CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.2)  

CWE-21: Pathname Traversal and Equivalence Errors

 
Pathname Traversal and Equivalence Errors
Category ID: 21 (Category)Status: Incomplete
+ Description

Description Summary

Weaknesses in this category can be used to access files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence).

Extended Description

Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered. The manipulations generally involve special characters or sequences in pathnames, or the use of alternate references or channels.

+ Applicable Platforms

Languages

All

+ Potential Mitigations

Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base41Improper Resolution of Path Equivalence
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base59Improper Link Resolution Before File Access ('Link Following')
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base66Improper Handling of File Names that Identify Virtual Resources
Development Concepts (primary)699
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERPathname Traversal and Equivalence Errors
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings, Type
2008-10-14CWE Content TeamMITREInternal
updated Description
2012-05-11CWE Content TeamMITREInternal
updated Related_Attack_Patterns
Page Last Updated: May 14, 2012