CME-1303

Application-Level Filesystem Access Confinement

Isolate Application Medium Confidence

Description

Application enforces its own filesystem access boundaries independent of OS-level controls. Uses chroot-like path scoping, virtual filesystem abstraction, or explicit directory allowlists within the application code. Ensures that even if an attacker controls a file path parameter, operations are confined to the application data directory.

CVSS Vector Impacts

Metric Transition Rationale
Confidentiality (C) H L File operations confined to application data directory; system files unreachable
Scope (S) C U Application cannot access files belonging to other services or the host OS

CWE Relationships

CWE-22 CWE-73 CWE-284

Verification

Verify application restricts filesystem operations to designated directories

$ grep -rn 'chroot\|basedir\|allowed_paths\|MEDIA_ROOT\|UPLOAD_DIR' <app_source>/
# Expected: Application-level directory confinement configured
Platform: any
← CME-1302: Deserialization Allowlist (Safe Loading) CME-1304: SSRF Prevention (Outbound Request Allowlist) →