CWE-249: DEPRECATED: Often Misused: Path Manipulation
Weakness ID: 249
Vulnerability Mapping:PROHIBITEDThis CWE ID must not be used to map to real-world vulnerabilities Abstraction:
VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.
View customized information:
For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers.For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts.For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers.For users who wish to see all available information for the CWE/CAPEC entry.For users who want to customize what details are displayed.
×
Edit Custom Filter
Description
This entry has been deprecated because of name
confusion and an accidental combination of multiple
weaknesses. Most of its content has been transferred to
CWE-785.
Extended Description
This entry was deprecated for several reasons. The primary
reason is over-loading of the "path manipulation" term and the
description. The original description for this entry was the
same as that for the "Often Misused: File System" item in the
original Seven Pernicious Kingdoms paper. However, Seven
Pernicious Kingdoms also has a "Path Manipulation" phrase that
is for external control of pathnames (CWE-73), which is a
factor in symbolic link following and path traversal, neither
of which is explicitly mentioned in 7PK. Fortify uses the
phrase "Often Misused: Path Manipulation" for a broader range
of problems, generally for issues related to buffer
management. Given the multiple conflicting uses of this term,
there is a chance that CWE users may have incorrectly mapped
to this entry.
The second reason for deprecation is an implied combination of
multiple weaknesses within buffer-handling functions. The
focus of this entry was generally on the path-conversion
functions and their association with buffer
overflows. However, some of Fortify's Vulncat entries have the
term "path manipulation" but describe a non-overflow weakness
in which the buffer is not guaranteed to contain the entire
pathname, i.e., there is information truncation (see CWE-222
for a similar concept). A new entry for this non-overflow
weakness may be created in a future version of CWE.
Vulnerability Mapping Notes
Usage:
PROHIBITED
(this CWE ID must not be used to map to real-world vulnerabilities)
Reason:
Deprecated
Rationale:
This CWE has been deprecated.
Comments:
See description for suggestions for other CWE IDs to use.
Description
