directory-traversal
Safeguard articles tagged "directory-traversal" — guides, analysis, and best practices for software supply chain and application security.
9 articles
Path Traversal Vulnerability Prevention, Explained
One unvalidated filename and `../../../etc/passwd` reads files you never meant to expose — or worse, executes them. Here's how path traversal works and how to build file access that can't be tricked.
Preventing path traversal (directory traversal) attacks
Path traversal lets attackers read or write files outside a web app's directory using ../ sequences. Here's how it works and how to stop it.
What is Directory Traversal
Directory traversal (CWE-22) lets attackers use ../ sequences to read or write files outside a web app's root directory. Here's how it works.
What is Zip Slip Vulnerability
Zip Slip lets attackers escape archive extraction via path traversal to overwrite files and gain code execution. Here's how it works and how to stop it.
RubyGems 2019 Multi-CVE Disclosure: Directory Traversal v...
CVE-2019-8320 let malicious RubyGems packages delete arbitrary directories via symlinked gem decompression. Here's the impact, timeline, and how to remediate it.
Go's 'go get' Directory Traversal via GOPATH Package Path...
CVE-2018-16874: a directory traversal flaw in Go's go get let malicious GOPATH import paths with curly braces write files outside the workspace.
SaltStack Directory Traversal Paired With Auth Bypass (CV...
CVE-2020-11652, a directory traversal flaw in SaltStack's salt-master, paired with an auth bypass to enable full remote compromise. Impact, CVSS/KEV context, and fixes.
OWASP Path Traversal: How It Works and How to Stop It
Path traversal lets an attacker reach files outside a web app's intended directory using sequences like ../../etc/passwd — here's how it works and the fixes that actually close it.
Grafana CVE-2021-43798: Directory Traversal in Everyone's Favorite Dashboard Tool
CVE-2021-43798 allowed unauthenticated directory traversal in Grafana, exposing configuration files and credentials. Exploitation was trivial and widespread.