Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
User input from a web request is being used directly to build file paths with os.path.join() and then passed to open(). This allows attackers to manipulate the file path and potentially access files outside the intended directory.
Impact#
If exploited, attackers could read sensitive files on the server, such as configuration files, user data, or authentication credentials. This can lead to data leaks, breaches of confidentiality, and further compromise of the application or server.