Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code constructs file paths using values directly from HTTP path parameters without proper validation. This allows attackers to manipulate the path (e.g., using ‘../’) to access files outside the intended directory.
Impact#
An attacker could exploit this to read, modify, or delete sensitive files on the server that should not be accessible, potentially exposing confidential data or disrupting application functionality.