| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-1002101 |
59 |
|
|
2019-04-01 |
2019-10-10 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0. |
|
2 |
CVE-2019-13636 |
59 |
|
|
2019-07-17 |
2019-07-24 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c. |
|
3 |
CVE-2019-13229 |
59 |
|
|
2019-07-04 |
2019-08-14 |
6.6 |
None |
Local |
Low |
Not required |
None |
Complete |
Complete |
|
deepin-clone before 1.1.3 uses a fixed path /tmp/partclone.log in the Helper::getPartitionSizeInfo() function to write a log file as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. |
|
4 |
CVE-2019-13228 |
59 |
|
|
2019-07-04 |
2019-07-27 |
6.6 |
None |
Local |
Medium |
Not required |
Partial |
Complete |
Complete |
|
deepin-clone before 1.1.3 uses a fixed path /tmp/repo.iso in the BootDoctor::fix() function to download an ISO file, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. By winning a race condition to replace the /tmp/repo.iso symlink by an attacker controlled ISO file, further privilege escalation may be possible. |
|
5 |
CVE-2019-13227 |
59 |
|
|
2019-07-04 |
2019-07-27 |
6.6 |
None |
Local |
Low |
Not required |
None |
Complete |
Complete |
|
In GUI mode, deepin-clone before 1.1.3 creates a log file at the fixed path /tmp/.deepin-clone.log as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. |
|
6 |
CVE-2019-13226 |
59 |
|
|
2019-07-04 |
2019-07-27 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
deepin-clone before 1.1.3 uses a predictable path /tmp/.deepin-clone/mount/<block-dev-basename> in the Helper::temporaryMountDevice() function to temporarily mount a file system as root. An unprivileged user can prepare a symlink at this location to have the file system mounted in an arbitrary location. By winning a race condition, the attacker can also enter the mount point, thereby preventing a subsequent unmount of the file system. |
|
7 |
CVE-2019-12779 |
59 |
|
|
2019-06-07 |
2019-07-19 |
6.6 |
None |
Local |
Low |
Not required |
None |
Complete |
Complete |
|
libqb before 1.0.5 allows local users to overwrite arbitrary files via a symlink attack, because it uses predictable filenames (under /dev/shm and /tmp) without O_EXCL. |
|
8 |
CVE-2019-12672 |
59 |
|
Exec Code |
2019-09-25 |
2019-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker with physical access to an affected device to execute arbitrary code on the underlying operating system (OS) with root privileges. The vulnerability is due to insufficient file location validation. An attacker could exploit this vulnerability by placing code in a specific format on a USB device and inserting it into an affected Cisco device. A successful exploit could allow the attacker to execute the code with root privileges on the underlying OS of the affected device. |
|
9 |
CVE-2019-12573 |
59 |
|
DoS |
2019-07-11 |
2019-07-16 |
6.6 |
None |
Local |
Low |
Not required |
None |
Complete |
Complete |
|
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files. The openvpn_launcher binary is setuid root. This binary supports the --log option, which accepts a path as an argument. This parameter is not sanitized, which allows a local unprivileged user to overwrite arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user. |
|
10 |
CVE-2019-12571 |
59 |
|
DoS |
2019-07-11 |
2019-07-16 |
6.6 |
None |
Local |
Low |
Not required |
None |
Complete |
Complete |
|
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files. When the client initiates a connection, the XML /tmp/pia-watcher.plist file is created. If the file exists, it will be truncated and the contents completely overwritten. This file is removed on disconnect. An unprivileged user can create a hard or soft link to arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user. |
|
11 |
CVE-2019-11503 |
59 |
|
Bypass |
2019-04-24 |
2019-07-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
snap-confine as included in snapd before 2.39 did not guard against symlink races when performing the chdir() to the current working directory of the calling user, aka a "cwd restore permission bypass." |
|
12 |
CVE-2019-11502 |
59 |
|
|
2019-04-24 |
2019-05-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory. |
|
13 |
CVE-2019-11230 |
59 |
|
|
2019-07-18 |
2019-07-24 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
In Avast Antivirus before 19.4, a local administrator can trick the product into renaming arbitrary files by replacing the Logs\Update.log file with a symlink. The next time the product attempts to write to the log file, the target of the symlink is renamed. This defect can be exploited to rename a critical product file (e.g., AvastSvc.exe), causing the product to fail to start on the next system restart. |
|
14 |
CVE-2019-9949 |
59 |
|
Exec Code |
2019-05-23 |
2019-05-28 |
9.0 |
None |
Remote |
Low |
Single system |
Complete |
Complete |
Complete |
|
Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, EX4100, DL2100, DL4100, PR2100 and PR4100 before firmware 2.31.183 are affected by a code execution (as root, starting from a low-privilege user session) vulnerability. The cgi-bin/webfile_mgr.cgi file allows arbitrary file write by abusing symlinks. Specifically, this occurs by uploading a tar archive that contains a symbolic link, then uploading another archive that writes a file to the link using the "cgi_untar" command. Other commands might also be susceptible. Code can be executed because the "name" parameter passed to the cgi_unzip command is not sanitized. |
|
15 |
CVE-2019-3902 |
59 |
|
|
2019-04-22 |
2019-08-06 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository. |
|
16 |
CVE-2019-3567 |
59 |
|
|
2019-06-03 |
2019-10-09 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
In some configurations an attacker can inject a new executable path into the extensions.load file for osquery and hard link a parent folder of a malicious binary to a folder with known 'safe' permissions. Under those circumstances osquery will load said malicious executable with SYSTEM permissions. The solution is to migrate installations to the 'Program Files' directory on Windows which restricts unprivileged write access. This issue affects osquery prior to v3.4.0. |
|
17 |
CVE-2019-1317 |
59 |
|
DoS |
2019-10-10 |
2019-10-11 |
5.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Complete |
|
A denial of service vulnerability exists when Windows improperly handles hard links, aka 'Microsoft Windows Denial of Service Vulnerability'. |
|
18 |
CVE-2018-20990 |
59 |
|
|
2019-08-26 |
2019-08-28 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive. |
|
19 |
CVE-2018-20834 |
59 |
|
|
2019-04-30 |
2019-09-04 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2). |
|
20 |
CVE-2018-19638 |
59 |
|
|
2019-03-05 |
2019-05-08 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
|
In supportutils, before version 3.1-5.7.1 and if pacemaker is installed on the system, an unprivileged user could have overwritten arbitrary files in the directory that is used by supportutils to collect the log files. |
|
21 |
CVE-2018-19637 |
59 |
|
|
2019-03-05 |
2019-05-08 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
Supportutils, before version 3.1-5.7.1, wrote data to static file /tmp/supp_log, allowing local attackers to overwrite files on systems without symlink protection |
|
22 |
CVE-2018-19044 |
59 |
|
|
2018-11-08 |
2019-08-06 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
|
keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd. |
|
23 |
CVE-2018-17955 |
59 |
|
|
2019-03-15 |
2019-10-09 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
In yast2-multipath before version 4.1.1 a static temporary filename allows local attackers to overwrite files on systems without symlink protection |
|
24 |
CVE-2018-17567 |
59 |
|
|
2018-09-27 |
2019-04-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file. |
|
25 |
CVE-2018-15351 |
59 |
|
DoS |
2018-08-17 |
2018-10-15 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Denial of service via crafting malicious link and sending it to a privileged user can cause Denial of Service in Kraftway 24F2XG Router firmware version 3.5.30.1118. |
|
26 |
CVE-2018-14651 |
59 |
|
DoS Exec Code |
2018-10-31 |
2019-04-02 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths. |
|
27 |
CVE-2018-13054 |
59 |
|
|
2018-07-02 |
2018-09-04 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
An issue was discovered in Cinnamon 1.9.2 through 3.8.6. The cinnamon-settings-users.py GUI runs as root and allows configuration of (for example) other users' icon files in _on_face_browse_menuitem_activated and _on_face_menuitem_activated. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location, then this location will be overwritten with the icon content. |
|
28 |
CVE-2018-12026 |
59 |
|
|
2018-06-17 |
2018-10-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation. |
|
29 |
CVE-2018-10928 |
59 |
|
Exec Code |
2018-09-04 |
2019-04-02 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
A flaw was found in RPC request using gfs3_symlink_req in glusterfs server which allows symlink destinations to point to file paths outside of the gluster volume. An authenticated attacker could use this flaw to create arbitrary symlinks pointing anywhere on the server and execute arbitrary code on glusterfs server nodes. |
|
30 |
CVE-2018-10722 |
59 |
|
|
2018-05-03 |
2018-06-13 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
In Cylance CylancePROTECT before 1470, an unprivileged local user can obtain SYSTEM privileges because users have Modify access to the %PROGRAMFILES%\Cylance\Desktop\log folder, the CyUpdate process grants users Modify access to new files created in this folder, and a new file can be a symlink chain to a pathname of an arbitrary DLL that CyUpdate uses. |
|
31 |
CVE-2018-10380 |
59 |
|
|
2018-05-08 |
2018-06-12 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ownership of arbitrary files via a symlink attack. |
|
32 |
CVE-2018-6557 |
59 |
|
DoS |
2018-08-21 |
2018-11-21 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The MOTD update script in the base-files package in Ubuntu 18.04 LTS before 10.1ubuntu2.2, and Ubuntu 18.10 before 10.1ubuntu6 incorrectly handled temporary files. A local attacker could use this issue to cause a denial of service, or possibly escalate privileges if kernel symlink restrictions were disabled. |
|
33 |
CVE-2018-6198 |
59 |
|
|
2018-01-24 |
2019-10-02 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
|
w3m through 0.5.3 does not properly handle temporary files when the ~/.w3m directory is unwritable, which allows a local attacker to craft a symlink attack to overwrite arbitrary files. |
|
34 |
CVE-2018-5225 |
59 |
|
Exec Code |
2018-03-22 |
2018-04-20 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository. |
|
35 |
CVE-2018-5107 |
59 |
|
Bypass |
2018-06-11 |
2018-06-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The printing process can bypass local access protections to read files available through symlinks, bypassing local file restrictions. The printing process requires files in a specific format so arbitrary data cannot be read but it is possible that some local file information could be exposed. This vulnerability affects Firefox < 58. |
|
36 |
CVE-2018-4112 |
59 |
|
+Info |
2018-04-03 |
2018-04-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "ATS" component. It allows attackers to obtain sensitive information by leveraging symlink mishandling. |
|
37 |
CVE-2018-1834 |
59 |
|
|
2018-11-08 |
2019-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to escalate their privileges to root through a symbolic link attack. IBM X-Force ID: 150511. |
|
38 |
CVE-2018-1781 |
59 |
|
|
2018-11-08 |
2019-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148804. |
|
39 |
CVE-2018-1780 |
59 |
|
|
2018-11-08 |
2019-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local db2 instance owner to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148803. |
|
40 |
CVE-2018-1196 |
59 |
|
|
2018-03-19 |
2018-04-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible. |
|
41 |
CVE-2018-1063 |
59 |
|
|
2018-03-02 |
2018-04-11 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). The issue was found in policycoreutils 2.5-11. |
|
42 |
CVE-2017-1002101 |
59 |
|
|
2018-03-13 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem. |
|
43 |
CVE-2017-1000420 |
59 |
|
|
2018-01-02 |
2018-01-16 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Syncthing version 0.14.33 and older is vulnerable to symlink traversal resulting in arbitrary file overwrite |
|
44 |
CVE-2017-1000115 |
59 |
|
|
2017-10-04 |
2019-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository |
|
45 |
CVE-2017-18188 |
59 |
|
|
2018-02-14 |
2018-03-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
OpenRC opentmpfiles through 0.1.3, when the fs.protected_hardlinks sysctl is turned off, allows local users to obtain ownership of arbitrary files by creating a hard link inside a directory on which "chown -R" will be run. |
|
46 |
CVE-2017-18078 |
59 |
|
Bypass |
2018-01-29 |
2019-10-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file. |
|
47 |
CVE-2017-16611 |
59 |
|
|
2017-12-01 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as root, triggering tape rewinds, watchdogs, or similar mechanisms that can be triggered by opening files. |
|
48 |
CVE-2017-15111 |
59 |
|
|
2018-01-19 |
2019-08-06 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link. |
|
49 |
CVE-2017-15097 |
59 |
|
|
2018-07-27 |
2019-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Privilege escalation flaws were found in the Red Hat initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine. |
|
50 |
CVE-2017-12172 |
59 |
|
|
2017-11-22 |
2019-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server. |
