Description
The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short "8.3" filename.
Potential Impact
Confidentiality, Integrity
Read Files or Directories, Modify Files or Directories
Mitigations & Prevention
Disable Windows from supporting 8.3 filenames by editing the Windows registry. Preventing 8.3 filenames will not remove previously generated 8.3 filenames.
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-1999-0012 | Multiple web servers allow restriction bypass using 8.3 names instead of long names |
| CVE-2001-0795 | Source code disclosure using 8.3 file name. |
| CVE-2005-0471 | Multi-Factor Vulnerability. Product generates temporary filenames using long filenames, which become predictable in 8.3 format. |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Windows 8.3 Filename
- Software Fault Patterns: SFP16 — Path Traversal
Frequently Asked Questions
What is CWE-58?
CWE-58 (Path Equivalence: Windows 8.3 Filename) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short "8.3" filename.
How can CWE-58 be exploited?
Attackers can exploit CWE-58 (Path Equivalence: Windows 8.3 Filename) to read files or directories, modify files or directories. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-58?
Key mitigations include: Disable Windows from supporting 8.3 filenames by editing the Windows registry. Preventing 8.3 filenames will not remove previously generated 8.3 filenames.
What is the severity of CWE-58?
CWE-58 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 3 real-world CVEs.