CWE-61 - UNIX Symbolic Link (Symlink) Following

Description

Symbolic links (symlink), provided by software system, are easy to spoof. With the help of changed symlinks malefactor offender can get and use any data to which he had no permission before.
A malicious user can create a symbolic link to a file not otherwise accessible to him or her. When the privileged program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired or even provided by the malicious user.
The vulnerability has the biggest influence on integrity and confidentiality of the data and allows attackers to read and alter data of directories.
The weakness is introduced during Implementation stage.

Latest vulnerabilities for CWE-61

Multiple vulnerabilities in IBM Integration Designer 2024-04-23
High Yes

Multiple vulnerabilities in Oracle Data Integrator 2024-04-17
High Yes

Multiple vulnerabilities in IBM AIX and IBM VIOS 2024-04-12
Medium Yes

Multiple vulnerabilities in Apple macOS Sonoma 2024-03-07
High Yes

Insecure symbolic link following in Python 2024-03-07
Low Yes

Privilege escalation in Microsoft Azure Connected Machine Agent 2024-02-13
Low Yes

Multiple vulnerabilities in HashiCorp Nomad 2024-02-08
High Yes

Multiple vulnerabilities in Oracle Retail Customer Management and Segmentation Foundation 2024-01-17
Medium Yes

Multiple vulnerabilities in Juniper Networks Session Smart Router 2024-01-12
High Yes

Multiple vulnerabilities in IBM Cloud Pak for Business Automation 2023-12-19
High Yes

References

Description of CWE-61 on Mitre website