Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

2021 CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.9)  

CWE-249: DEPRECATED: Often Misused: Path Manipulation

Weakness ID: 249
Abstraction: Variant
Structure: Simple
View customized information:
+ Description
This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
+ Extended Description

This entry was deprecated for several reasons. The primary reason is over-loading of the "path manipulation" term and the description. The original description for this entry was the same as that for the "Often Misused: File System" item in the original Seven Pernicious Kingdoms paper. However, Seven Pernicious Kingdoms also has a "Path Manipulation" phrase that is for external control of pathnames (CWE-73), which is a factor in symbolic link following and path traversal, neither of which is explicitly mentioned in 7PK. Fortify uses the phrase "Often Misused: Path Manipulation" for a broader range of problems, generally for issues related to buffer management. Given the multiple conflicting uses of this term, there is a chance that CWE users may have incorrectly mapped to this entry.

The second reason for deprecation is an implied combination of multiple weaknesses within buffer-handling functions. The focus of this entry was generally on the path-conversion functions and their association with buffer overflows. However, some of Fortify's Vulncat entries have the term "path manipulation" but describe a non-overflow weakness in which the buffer is not guaranteed to contain the entire pathname, i.e., there is information truncation (see CWE-222 for a similar concept). A new entry for this non-overflow weakness may be created in a future version of CWE.

+ Notes


Use for Mapping: Prohibited (this CWE ID must not be used to map to real-world vulnerabilities).

Rationale: this entry is deprecated.

Comments: see description for suggestions for other CWE IDs to use.

+ Content History
+ Submissions
Submission DateSubmitterOrganization
2006-07-197 Pernicious Kingdoms
+ Modifications
Modification DateModifierOrganization
2008-07-01Eric DalciCigital
updated Time_of_Introduction
2008-08-01KDM Analytics
added/updated white box definitions
2008-09-08CWE Content TeamMITRE
updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings
2009-05-27CWE Content TeamMITRE
updated Demonstrative_Examples
2009-07-17KDM Analytics
Described inconsistencies in this entry, which the CWE Content Team had already slated for deprecation.
2009-07-27CWE Content TeamMITRE
updated Affected_Resources, Applicable_Platforms, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type, White_Box_Definitions
2009-10-29CWE Content TeamMITRE
updated Relationships
2021-03-15CWE Content TeamMITRE
updated Description, Maintenance_Notes
2022-10-13CWE Content TeamMITRE
updated Description
+ Previous Entry Names
Change DatePrevious Entry Name
2009-07-27Often Misused: Path Manipulation
More information is available — Please select a different filter.
Page Last Updated: October 13, 2022