Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

CVEs (1,502)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2015-5701 1Tug 1Texlive May 13, 2026 Aug 25, 2017 N/A· v4 6.1 MEDIUM· v3 5.6 MEDIUM· v2 mktexlsr revision 36855, and before revision 36626 as packaged in texlive allows local users to write to arbitrary files via a symlink attack. NOTE: this vulnerability exists due to the reversion of a fix of CVE-2015-57...Show more mktexlsr revision 36855, and before revision 36626 as packaged in texlive allows local users to write to arbitrary files via a symlink attack. NOTE: this vulnerability exists due to the reversion of a fix of CVE-2015-5700.Show less
CVE-2015-5700 1Tug 1Texlive May 13, 2026 Aug 25, 2017 N/A· v4 6.1 MEDIUM· v3 5.6 MEDIUM· v2 mktexlsr revision 22855 through revision 36625 as packaged in texlive allows local users to write to arbitrary files via a symlink attack.
CVE-2015-3211 1Php Fpm 1Php Fpm May 13, 2026 Aug 25, 2017 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 php-fpm allows local users to write to or create arbitrary files via a symlink attack.
CVE-2015-3156 1Openstack 1Trove May 13, 2026 Aug 11, 2017 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py, write_config function in tro...Show more The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py, write_config function in trove/guestagent/datastore/experimental/redis/service.py, _write_mycnf function in trove/guestagent/datastore/mysql/service.py, InnoBackupEx::_run_prepare function in trove/guestagent/strategies/restore/mysql_impl.py, InnoBackupEx::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, MySQLDump::cmd in trove/guestagent/strategies/backup/mysql_impl.py, InnoBackupExIncremental::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, _get_actual_db_status function in trove/guestagent/datastore/experimental/cassandra/system.py and trove/guestagent/datastore/experimental/cassandra/service.py, and multiple class CbBackup methods in trove/guestagent/strategies/backup/experimental/couchbase_impl.py in Openstack DBaaS (aka Trove) as packaged in Openstack before 2015.1.0 (aka Kilo) allows local users to write to configuration files via a symlink attack on a temporary file.Show less
CVE-2015-3149 1Redhat 7Enterprise Linux Desktop Enterprise Linux Hpc NodeEnterprise Linux Hpc Node Eus+4 more May 13, 2026 Jul 25, 2017 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 The Hotspot component in OpenJDK8 as packaged in Red Hat Enterprise Linux 6 and 7 allows local users to write to arbitrary files via a symlink attack.
CVE-2015-3315 1Redhat 1Automatic Bug Reporting Tool May 13, 2026 Jun 26, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink attack on (1) /var/tmp/abrt//maps, (2) /tmp/jvm-/hs_error.log,...Show more Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink attack on (1) /var/tmp/abrt//maps, (2) /tmp/jvm-/hs_error.log, (3) /proc/*/exe, (4) /etc/os-release in a chroot, or (5) an unspecified root directory related to librpm.Show less
CVE-2017-9525 2Cron Project Debian 2Cron Debian Linux May 13, 2026 Jun 9, 2017 N/A· v4 6.7 MEDIUM· v3 6.9 MEDIUM· v2 In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of...Show more In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.Show less
CVE-2016-3108 1Pulpproject 1Pulp May 13, 2026 Jun 8, 2017 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.
CVE-2017-8108 1Cisofy 1Lynis May 13, 2026 Jun 8, 2017 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Unspecified tests in Lynis before 2.5.0 allow local users to write to arbitrary files or possibly gain privileges via a symlink attack on a temporary file.
CVE-2015-6240 1Redhat 1Ansible May 13, 2026 Jun 7, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.
CVE-2015-8326 1Iptables Parse Project 1Iptables Parse Module May 13, 2026 Jun 7, 2017 N/A· v4 5.5 MEDIUM· v3 3.6 LOW· v2 The IPTables-Parse module before 1.6 for Perl allows local users to write to arbitrary files owned by the current user.
CVE-2015-7724 1Amd 1Fglrx Driver May 13, 2026 Jun 7, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. NOTE: This vulnerability exists due to an incomplete fix for CVE-2015-7723.
CVE-2015-7723 1Amd 1Fglrx Driver May 13, 2026 Jun 7, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 AMD fglrx-driver before 15.7 allows local users to gain privileges via a symlink attack.
CVE-2017-6981 1Apple 2Iphone Os Mac Os X May 13, 2026 May 22, 2017 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the "iBooks" component. It allows attackers to execute arbitrary code in a privileged...Show more An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the "iBooks" component. It allows attackers to execute arbitrary code in a privileged context via a crafted app that uses symlinks.Show less
CVE-2016-10374 1Perltidy Project 1Perltidy May 13, 2026 May 17, 2017 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 perltidy through 20160302, as used by perlcritic, check-all-the-things, and other software, relies on the current working directory for certain output files and does not have a symlink-attack protection mechanism, which...Show more perltidy through 20160302, as used by perlcritic, check-all-the-things, and other software, relies on the current working directory for certain output files and does not have a symlink-attack protection mechanism, which allows local users to overwrite arbitrary files by creating a symlink, as demonstrated by creating a perltidy.ERR symlink that the victim cannot delete.Show less
CVE-2017-7418 1Proftpd 1Proftpd May 13, 2026 Apr 4, 2017 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component wh...Show more ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.Show less
CVE-2017-2390 1Apple 4Iphone Os Mac Os XTvos+1 more May 13, 2026 Apr 2, 2017 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves symlink mishandling in th...Show more An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves symlink mishandling in the "libarchive" component. It allows local users to change arbitrary directory permissions via unspecified vectors.Show less
CVE-2016-9774 3Apache CanonicalDebian 3Debian Linux TomcatUbuntu Linux May 13, 2026 Mar 23, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u8 on Debian wheezy,...Show more The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u8 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to obtain sensitive information or gain root privileges via a symlink attack on the Catalina localhost directory.Show less
CVE-2016-7619 1Apple 3Iphone Os Mac Os XWatchos May 13, 2026 Feb 20, 2017 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "libarchive" component, which allows local users...Show more An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "libarchive" component, which allows local users to write to arbitrary files via vectors related to symlinks.Show less
CVE-2016-4679 1Apple 4Iphone Os Mac Os XTvos+1 more May 13, 2026 Feb 20, 2017 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "libarchive" compon...Show more An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "libarchive" component, which allows remote attackers to write to arbitrary files via a crafted archive containing a symlink.Show less

Previous 1...515253...76 Next