CWE-62: UNIX Hard Link

VariantIncomplete

The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

View on MITRE
Back to CWE Lookup

Extended Description

Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. /etc/passwd). When the process opens the file, the attacker can assume the privileges of that process.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Unix

Frequently Asked Questions

What is CWE-62: UNIX Hard Link?+

CWE-62: UNIX Hard Link is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. /etc/passwd). When the process opens the file, the attacker can assume the privileges of that process.

What are the security consequences of UNIX Hard Link?+

If exploited, CWE-62 (UNIX Hard Link) it can compromise Confidentiality and Integrity, leading to outcomes such as Read Files or Directories and Modify Files or Directories.

Which programming languages are affected by UNIX Hard Link?+

CWE-62 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of UNIX Hard Link?+

MITRE documents real CVEs mapped to CWE-62, including CVE-2002-0793, CVE-2003-0578, CVE-1999-0783, CVE-2004-1603 and CVE-2004-1901. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-62 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More