Software firms have been urged by the FBI and Cybersecurity and Infrastructure Security Agency to ensure the absence of path traversal or directory traversal vulnerabilities in their products prior to shipping, BleepingComputer reports.
Mitigating such flaws, which could be exploited to facilitate code execution and authentication bypass, could be achieved through random identifier generation for files and separate metadata storage, character restrictions in file names, and removing executable permissions in uploaded files, said the agencies in a joint advisory.
Such an alert has been issued following separate attack campaigns exploiting directory traversal bugs, tracked CVE-2024-1708 and CVE-2024-20345, to compromise U.S. critical infrastructure organizations.
"Directory traversal exploits succeed because technology manufacturers fail to treat user supplied content as potentially malicious, hence failing to adequately protect their customers. Vulnerabilities like directory traversal have been called 'unforgivable' since at least 2007. Despite this finding, directory traversal vulnerabilities (such as CWE-22 and CWE-23) are still prevalent classes of vulnerability," said the agencies.