BaseDraft
CWE-427Uncontrolled Search Path Element
Category: other
Description
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Common consequences· 1
- Confidentiality / Integrity / Availability — Execute Unauthorized Code or Commands
Potential mitigations· 5
- [Architecture and Design, Implementation]Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
- [Implementation]When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
- [Implementation]Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
- [Implementation]Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
- [Implementation]Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.
Related CAPEC attack patterns· 2
References
Exploits (incoming)2
| Type | Target | Confidence | Tier |
|---|---|---|---|
| AttackPattern | Leveraging/Manipulating Configuration File Search Pathscapec-38 | 100% | live |
| AttackPattern | Search Order Hijackingcapec-471 | 100% | live |
Compliance frameworks addressing this (incoming)1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| ComplianceControl | cis_v8-2 | 100% | live |
(incoming)30
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Vulnerability | CVE-2025-15558cve-2025-15558 | 0% | live |
| Vulnerability | CVE-2025-23309cve-2025-23309 | 0% | live |
| Vulnerability | CVE-2025-23358cve-2025-23358 | 0% | live |
| Vulnerability | CVE-2025-27997cve-2025-27997 | 0% | live |
| Vulnerability | CVE-2025-32917cve-2025-32917 | 0% | live |
| Vulnerability | CVE-2025-33208cve-2025-33208 | 0% | live |
| Vulnerability | CVE-2025-36004cve-2025-36004 | 0% | live |
| Vulnerability | CVE-2025-49155cve-2025-49155 | 0% | live |
| Vulnerability | CVE-2025-4981cve-2025-4981 | 0% | live |
| Vulnerability | CVE-2025-56383cve-2025-56383 | 0% | live |
| Vulnerability | CVE-2025-59684cve-2025-59684 | 0% | live |
| Vulnerability | CVE-2025-59887cve-2025-59887 | 0% | live |
| Vulnerability | CVE-2025-59889cve-2025-59889 | 0% | live |
| Vulnerability | CVE-2025-61161cve-2025-61161 | 0% | live |
| Vulnerability | CVE-2025-65118cve-2025-65118 | 0% | live |
| Vulnerability | CVE-2025-65741cve-2025-65741 | 0% | live |
| Vulnerability | CVE-2025-69599cve-2025-69599 | 0% | live |
| Vulnerability | CVE-2025-69784cve-2025-69784 | 0% | live |
| Vulnerability | CVE-2025-9844cve-2025-9844 | 0% | live |
| Vulnerability | CVE-2026-22619cve-2026-22619 | 0% | live |
| Vulnerability | CVE-2026-2360cve-2026-2360 | 0% | live |
| Vulnerability | CVE-2026-2361cve-2026-2361 | 0% | live |
| Vulnerability | CVE-2026-23741cve-2026-23741 | 0% | live |
| Vulnerability | CVE-2026-29610cve-2026-29610 | 0% | live |
| Vulnerability | CVE-2026-30478cve-2026-30478 | 0% | live |
| Vulnerability | CVE-2026-32172cve-2026-32172 | 0% | live |
| Vulnerability | CVE-2026-34632cve-2026-34632 | 0% | live |
| Vulnerability | CVE-2026-40342cve-2026-40342 | 0% | live |
| KEVEntry | Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerabilitykev-cve-2020-3153 | 0% | live |
| KEVEntry | Cisco AnyConnect Secure Mobility Client for Windows DLL Hijacking Vulnerabilitykev-cve-2020-3433 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.