CWE-427: CWE-427: Uncontrolled Search Path Element

BaseStable

Description

View on MITRE
Back to CWE Lookup

Extended Description

Extended Description

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms
Languages

Frequently Asked Questions

What is CWE-427: CWE-427: Uncontrolled Search Path Element?+

CWE-427: CWE-427: Uncontrolled Search Path Element is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description Extended Description

What are the security consequences of CWE-427: Uncontrolled Search Path Element?+

If exploited, CWE-427 (CWE-427: Uncontrolled Search Path Element) it can compromise Execute Unauthorized Code or Commands, leading to outcomes such as Scope: Confidentiality, Integrity and Availability.

How do you prevent or mitigate CWE-427: Uncontrolled Search Path Element?+

Recommended mitigations for CWE-427 include: Strategy: Attack Surface Reduction Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428 . Strategy: Attack Surface Reduction When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths. Strategy: Attack Surface Reduction Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.

Which programming languages are affected by CWE-427: Uncontrolled Search Path Element?+

CWE-427 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-427 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More