目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-138 对特殊元素的转义处理不恰当 类漏洞列表 12

CWE-138 对特殊元素的转义处理不恰当 类弱点 12 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-138 指产品接收上游输入时,未正确过滤或转义特殊元素,导致下游组件将其误解析为控制指令或语法标记。攻击者常利用此缺陷注入恶意代码或篡改逻辑,引发注入攻击。开发者应严格实施输入验证,对特殊字符进行标准化转义,并确保使用安全的 API 处理数据交互,从而阻断恶意元素的解析路径。

MITRE CWE 官方描述
CWE:CWE-138 特殊元素(Special Elements)处理不当 英文:产品从上游组件接收输入,但未对特殊元素(special elements)进行中和(neutralize)或错误地中和了这些特殊元素,而这些特殊元素在发送给下游组件时可能被解释为控制元素(control elements)或语法标记(syntactic markers)。 大多数编程语言和协议都有各自特有的特殊元素(special elements),例如字符和保留字(reserved words)。这些特殊元素可能具有控制含义。如果产品未能防止外部控制或影响此类特殊元素的包含,程序的执行流程(control flow)可能会偏离预期。例如,Unix 和 Windows 均将符号 <(“小于”)解释为“从文件中读取输入”。
常见影响 (1)
Confidentiality, Integrity, Availability, OtherExecute Unauthorized Code or Commands, Alter Execution Logic, DoS: Crash, Exit, or Restart
缓解措施 (5)
ImplementationDevelopers should anticipate that special elements (e.g. delimiters, symbols) will be injected into input vectors of their product. One defense is to create an allowlist (e.g. a regular expression) that defines valid input according to the requirements specifications. Strictly filter any input that does not match against the allowlist. Properly encode your output, and quote any elements that have …
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationUse and specify an appropriate output encoding to ensure that the special elements are well-defined. A normal byte sequence in one encoding could be a special element in another.
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
ImplementationWhile it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or whit…
代码示例 (2)
The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.
my $Username = GetUntrustedInput(); $Username =~ s/\.\.\///; my $filename = "/home/user/" . $Username; ReadAndSendFile($filename);
Bad · Perl
../../../etc/passwd
Attack
The following example assigns some character values to a list of characters and prints them each individually, and then as a string. The third character value is intended to be an integer taken from user input and converted to an int. The first print statement will print each character separated by a space.
char *foo; foo=malloc(sizeof(char)*5); foo[0]='a'; foo[1]='a'; foo[2]=fgetc(stdin); foo[3]='c'; foo[4]='\0'; printf("%c %c %c %c %c \n",foo[0],foo[1],foo[2],foo[3],foo[4]); printf("%s\n",foo);
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2026-26129 M365 Copilot 信息泄露漏洞 — Microsoft 365 Copilot's Business Chat 7.5 High2026-05-07
CVE-2026-32178 Microsoft .NET 安全漏洞 — .NET 10.0 7.5 High2026-04-14
CVE-2026-20009 Cisco Secure Firewall Adaptive Security Appliance 安全漏洞 — Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 5.3 Medium2026-03-04
CVE-2025-48939 tarteaucitron.js 安全漏洞 — tarteaucitron.js 4.2 Medium2025-07-03
CVE-2025-5878 OWASP ESAPI 安全漏洞 — esapi-java-legacy 7.3 High2025-06-29
CVE-2024-51500 Meshtastic device firmware 安全漏洞 — firmware 5.3 Medium2024-11-04
CVE-2024-38133 Microsoft Windows Kernel 安全漏洞 — Windows 10 Version 1809 7.8 High2024-08-13
CVE-2023-42117 Exim 安全漏洞 — Exim 9.8 -2024-05-03
CVE-2023-22288 Checkmk 跨站脚本漏洞 — Checkmk 6.8 Medium2023-03-20
CVE-2022-2429 WordPress plugin Ultimate SMS Notifications for WooCommerce 安全漏洞 — Ultimate SMS Notifications for WooCommerce 6.5 Medium2022-09-06
CVE-2022-0024 Palo Alto Networks PAN-OS 安全漏洞 — PAN-OS 7.2 High2022-05-11
CVE-2016-0750 Infinispan hotrod java客户端安全漏洞 — Infinispan 8.8 -2018-09-11

CWE-138(对特殊元素的转义处理不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 12 条 CVE 漏洞。