The software uses external input to construct a pathname that
is intended to identify a file or directory that is located underneath a
restricted parent directory, but the software does not properly neutralize
special elements within the pathname that can cause the pathname to resolve to a
location that is outside of the restricted directory.
The product behaves differently or sends different responses in
a way that exposes security-relevant information about the state of the product,
such as whether a particular operation was successful or