Description
View on MITREStrategy: Separation of Privilege Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
CWE-59: CWE-59: Improper Link Resolution Before File Access ('Link Following') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description
If exploited, CWE-59 (CWE-59: Improper Link Resolution Before File Access ('Link Following')) it can compromise Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism and Execute Unauthorized Code or Commands, leading to outcomes such as Scope: Confidentiality, Integrity, Access Control An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism., Scope: Other Windows simple shortcuts, sometimes referred to as soft links and can be exploited remotely since a ".
Recommended mitigations for CWE-59 include: Strategy: Separation of Privilege Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CWE-59 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-59 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.