Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The application uses user-supplied input to build file paths without proper validation, allowing attackers to manipulate the path (e.g., using ‘../’) and access files outside the intended directory. This can occur when handling file operations based on data from HTTP requests.
Impact#
If exploited, attackers could read, modify, or overwrite sensitive files on the server, potentially exposing confidential data or disrupting application functionality. This can lead to data breaches, loss of integrity, or complete server compromise.