CWE-12 ASP.NET误配置：缺少定制错误页面类漏洞列表 1

CWE-12 ASP.NET误配置：缺少定制错误页面类弱点 1 条 CVE 漏洞汇总，含 AI 中文分析。

CWE-12 属于 ASP.NET 配置错误，指应用未启用自定义错误页面。攻击者常利用此缺陷，通过触发异常获取框架内置响应中的详细堆栈跟踪或路径信息，从而挖掘敏感数据以辅助后续攻击。开发者应通过配置文件显式启用自定义错误页面，确保向用户展示通用错误提示，从而阻断敏感信息泄露，提升应用安全性。

MITRE CWE 官方描述

CWE：CWE-12 ASP.NET Misconfiguration: Missing Custom Error Page 英文：An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

常见影响 (1)

ConfidentialityRead Application Data

Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the app…

缓解措施 (3)

System ConfigurationHandle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page.

Architecture and DesignDo not attempt to process an error or attempt to mask it.

ImplementationVerify return values are correct and do not supply sensitive information about the system.

代码示例 (1)

The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used.

<customErrors mode="Off" />

Bad · ASP.NET

<customErrors mode="RemoteOnly" />

Good · ASP.NET

CVE ID	标题	CVSS	风险等级	Published
CVE-2020-6994	Belden HiOS 输入验证错误漏洞 — HiOS for the following devices RSP, RSPE, RSPS, RSPL, MSP, EES, EES, EESX, GRS, OS, RED	9.8	-	2020-04-03

CWE-12（ASP.NET误配置：缺少定制错误页面）是常见的弱点类别，本平台收录该类弱点关联的 1 条 CVE 漏洞。

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

CWE-12 ASP.NET误配置：缺少定制错误页面 类漏洞列表 1

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

CWE-12 ASP.NET误配置：缺少定制错误页面类漏洞列表 1