SYM_PY_0220 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The code uses user-supplied input from a web request directly as a file path in the open() function without proper validation or sanitization. This allows attackers to manipulate the file path and potentially access files outside the intended directory.
Impact
If exploited, an attacker could read or modify sensitive files on the server, such as application code, configuration files, or system data. This can lead to data leaks, unauthorized access, or further compromise of the application and underlying system.