CWE-1220 类漏洞列表 68

CWE-1220 类弱点 68 条 CVE 漏洞汇总，含 AI 中文分析。

CWE-1220 属于访问控制粒度不足漏洞。当访问控制策略过于宽泛，未能精确区分受信任与未受信任的代理时，攻击者可利用此缺陷访问敏感资产。开发者应实施最小权限原则，细化访问控制策略，确保仅授予必要的读写权限，从而防止未授权访问，提升系统安全性。

MITRE CWE 官方描述

CWE：CWE-1220 访问控制粒度不足英文：产品通过策略或其他功能实施访问控制，旨在禁用或限制来自不受信任代理对系统中资产的访问（读取和/或写入）。然而，实施的访问控制缺乏所需的粒度，导致控制策略过于宽泛，因为它允许未经授权的代理访问安全敏感的资产。集成电路和硬件引擎可以向受信任的固件或软件模块（通常由 BIOS/引导加载程序设置）暴露对资产（设备配置、密钥等）的访问。此类访问通常受到访问控制。在电源重置后，硬件或系统通常以寄存器中的默认值启动，受信任的固件（引导固件）配置必要的访问控制保护。此类保护方案中可能存在的一个常见弱点是访问控制或策略的粒度不够细。这种状况允许超出受信任代理范围的代理访问资产，可能导致功能丧失或无法安全地设置设备。这进一步导致从泄露的敏感密钥材料到设备配置被修改的安全风险。

常见影响 (1)

Confidentiality, Integrity, Availability, Access ControlModify Memory, Read Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Other

缓解措施 (1)

Architecture and Design, Implementation, TestingAccess-control-policy protections must be reviewed for design inconsistency and common weaknesses. Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.

Effectiveness: High

代码示例 (2)

Consider a system with a register for storing AES key for encryption or decryption. The key is 128 bits, implemented as a set of four 32-bit registers. The key registers are assets and registers, AES_KEY_READ_POLICY and AES_KEY_WRITE_POLICY, and are defined to provide necessary access controls. The read-policy register defines which agents can read the AES-key registers, and write-policy register …

Register Field description AES_ENC_DEC_KEY_0 AES key [0:31] for encryption or decryption Default 0x00000000 AES_ENC_DEC_KEY_1 AES key [32:63] for encryption or decryption Default 0x00000000 AES_ENC_DEC_KEY_2 AES key [64:95] for encryption or decryption Default 0x00000000 AES_ENC_DEC_KEY_4 AES key [96:127] for encryption or decryption Default 0x00000000 AES_KEY_READ_WRITE_POLICY [31:0] Default 0x00000006 - meaning agent with identities "1" and "2" can both read from and write to key registers

Bad · Other

AES_KEY_READ_POLICY [31:0] Default 0x00000002 - meaning only Crypto engine with identity "1" can read registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3 AES_KEY_WRITE_POLICY [31:0] Default 0x00000004 - meaning only trusted firmware with identity "2" can program registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3

Good · Other

Within the AXI node interface wrapper module in the RISC-V AXI module of the HACK@DAC'19 CVA6 SoC [REF-1346], an access control mechanism is employed to regulate the access of different privileged users to peripherals.

... for (i=0; i<NB_SUBORDINATE; i++) begin for (j=0; j<NB_MANAGER; j++) begin assign connectivity_map_o[i][j] = access_ctrl_i[i][j][priv_lvl_i] || ((j==6) && access_ctrl_i[i][7][priv_lvl_i]); end end ...

Bad · Verilog

... for (i=0; i<NB_SUBORDINATE; i++) begin for (j=0; j<NB_MANAGER; j++) begin assign connectivity_map_o[i][j] = access_ctrl_i[i][j][priv_lvl_i]; end end ...

Good · Verilog

CVE ID	标题	CVSS	风险等级	Published
CVE-2026-38743	Apache Airflow 安全漏洞 — Apache Airflow	4.3^AI	Medium^AI	2026-04-24
CVE-2026-40690	Apache Airflow 安全漏洞 — Apache Airflow	4.3^AI	Medium^AI	2026-04-24
CVE-2026-6388	Red Hat OpenShift GitOps 安全漏洞 — Red Hat OpenShift GitOps	9.1	Critical	2026-04-15
CVE-2026-33825	Microsoft Defender 安全漏洞 — Microsoft Defender Antimalware Platform	7.8	High	2026-04-14
CVE-2025-20628	PingIdentity PingIDM 安全漏洞 — PingIDM	5.9^AI	Medium^AI	2026-04-07
CVE-2026-20107	Cisco Application Policy Infrastructure Controller 安全漏洞 — Cisco Application Policy Infrastructure Controller (APIC)	5.5	Medium	2026-02-25
CVE-2025-48514	AMD Processors 安全漏洞 — AMD EPYC™ 9004 Series Processors	2.3^AI	Low^AI	2026-02-10
CVE-2025-48517	AMD EPYC 9005 Series 安全漏洞 — AMD EPYC™ 9005 Series Processors	3.2^AI	Low^AI	2026-02-10
CVE-2024-4147	Lunary 安全漏洞 — lunary-ai/lunary	4.3^AI	Medium^AI	2026-02-02
CVE-2025-11246	GitLab Enterprise Edition（EE）和GitLab Community Edition（CE）安全漏洞 — GitLab	5.4	Medium	2026-01-09
CVE-2025-8306	Asseco InfoMedica 安全漏洞 — InfoMedica Plus	8.8	-	2026-01-08
CVE-2025-20305	Cisco Identity Services Engine 安全漏洞 — Cisco Identity Services Engine Software	4.3	Medium	2025-11-05
CVE-2025-8049	OpenText Flipper 安全漏洞 — Flipper	7.8^AI	High^AI	2025-10-20
CVE-2025-8053	OpenText Flipper 安全漏洞 — Flipper	8.8^AI	High^AI	2025-10-20
CVE-2025-54461	ChatLuck 安全漏洞 — ChatLuck	9.1^AI	Critical^AI	2025-10-16
CVE-2025-7493	Red Hat FreeIPA 安全漏洞 — Red Hat Enterprise Linux 10	9.1	Critical	2025-09-30
CVE-2024-21947	AMD Embedded Processors和AMD Client Processor 安全漏洞 — AMD Ryzen™ Threadripper™ 3000 Processors	7.5	High	2025-09-06
CVE-2025-31961	HCL Connections 安全漏洞 — Connections	3.7	Low	2025-08-15
CVE-2025-2498	GitLab Enterprise Edition 安全漏洞 — GitLab	3.1	Low	2025-08-13
CVE-2025-7001	GitLab Enterprise Edition（EE）和GitLab Community Edition（CE）安全漏洞 — GitLab	4.3	Medium	2025-07-24
CVE-2025-3648	ServiceNow Now Platform 安全漏洞 — Now Platform	5.3^AI	Medium^AI	2025-07-08
CVE-2025-27026	Infinera G42 安全漏洞 — G42	4.9	Medium	2025-07-02
CVE-2025-4404	Red Hat FreeIPA 安全漏洞	9.1	Critical	2025-06-17
CVE-2025-5982	GitLab Enterprise Edition 多款产品安全漏洞 — GitLab	3.7	Low	2025-06-12
CVE-2025-1110	GitLab Enterprise Edition（EE）和GitLab Community Edition（CE）安全漏洞 — GitLab	2.7	Low	2025-05-22
CVE-2025-4979	GitLab Enterprise Edition（EE）和GitLab Community Edition（CE）安全漏洞 — GitLab	4.9	Medium	2025-05-22
CVE-2025-32703	Microsoft Visual Studio 安全漏洞 — Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)	5.5	Medium	2025-05-13
CVE-2025-1278	GitLab Enterprise Edition和GitLab Community Edition 安全漏洞 — GitLab	5.3	Medium	2025-05-09
CVE-2025-2408	GitLab Enterprise Edition（EE）和GitLab Community Edition（CE）安全漏洞 — GitLab	5.3	Medium	2025-04-10
CVE-2024-33058	Qualcomm Chipsets 安全漏洞 — Snapdragon	7.5	High	2025-04-07

CWE-1220 是常见的弱点类别，本平台收录该类弱点关联的 68 条 CVE 漏洞。

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

CWE-1220 类漏洞列表 68

目标达成感谢每一位支持者 — 我们达成了 100% 目标！