Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code reads files using user-supplied input to build file paths without proper validation. This allows attackers to manipulate the path and access files outside the intended directory, potentially exposing sensitive data.
Impact#
If exploited, an attacker could read arbitrary files from the server’s filesystem, such as configuration files, credentials, or other private data. This can lead to information leaks, further attacks, or full system compromise.