目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-15 系统设置或配置在外部可控制 类漏洞列表 55

CWE-15 系统设置或配置在外部可控制 类弱点 55 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-15 指外部控制系统或配置设置的漏洞,属于配置管理缺陷。攻击者通常通过篡改环境变量、注册表或配置文件,诱导系统执行非预期行为或导致服务中断。开发者应避免直接信任用户输入,采用白名单验证机制限制可配置项,并在代码中硬编码关键安全参数,同时实施严格的权限控制,防止未授权修改。

MITRE CWE 官方描述
CWE:CWE-15 External Control of System or Configuration Setting 英文:One or more system settings or configuration elements can be externally controlled by a user. 允许外部控制系统设置可能会破坏服务,或导致应用程序以不可预知且潜在恶意的方式运行。
常见影响 (1)
OtherVaries by Context
缓解措施 (3)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Implementation, Architecture and DesignBecause setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.
Implementation, Architecture and DesignIn general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.
代码示例 (2)
The following C code accepts a number as one of its command line parameters and sets it as the host ID of the current machine.
... sethostid(argv[1]); ...
Bad · C
The following Java code snippet reads a string from an HttpServletRequest and sets it as the active catalog for a database Connection.
... conn.setCatalog(request.getParameter("catalog")); ...
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-43531 OpenClaw < 2026.4.9 工作区.env文件环境变量注入漏洞 — OpenClaw 7.3 High2026-05-05
CVE-2026-41384 OpenClaw 安全漏洞 — OpenClaw 7.8 High2026-04-28
CVE-2026-41294 OpenClaw 安全漏洞 — OpenClaw 8.6 High2026-04-20
CVE-2026-0232 Palo Alto Networks Cortex XDR Agent 安全漏洞 — Cortex XDR Agent 6.0 -2026-04-13
CVE-2026-35650 OpenClaw 安全漏洞 — OpenClaw 7.5 High2026-04-10
CVE-2026-33092 Acronis True Image 安全漏洞 — Acronis True Image OEM 7.8AIHighAI2026-04-10
CVE-2026-30817 TP-Link Archer AX53 安全漏洞 — AX53 v1.0 5.7AIMediumAI2026-04-08
CVE-2026-30816 TP-Link Archer AX53 安全漏洞 — AX53 v1.0 5.7AIMediumAI2026-04-08
CVE-2026-22177 OpenClaw 安全漏洞 — OpenClaw 6.1 Medium2026-03-18
CVE-2026-21422 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 3.4 Low2026-03-04
CVE-2026-27203 eBay API MCP Server 注入漏洞 — ebay-mcp 8.3 High2026-02-20
CVE-2025-13091 WordPress plugin Shopire 安全漏洞 — Shopire 4.3 Medium2026-02-19
CVE-2026-22708 Cursor 安全漏洞 — cursor 9.1AICriticalAI2026-01-14
CVE-2026-0495 SAP Fiori App Intercompany Balance Reconciliation 安全漏洞 — SAP Fiori App (Intercompany Balance Reconciliation) 5.1 Medium2026-01-13
CVE-2025-64726 Socket Firewall 代码问题漏洞 — firewall-release 7.8 -2025-11-13
CVE-2025-62527 Taguette 安全漏洞 — taguette 7.1 High2025-10-20
CVE-2025-43792 Liferay Portal和Liferay DXP 安全漏洞 — Portal 8.1AIHighAI2025-09-15
CVE-2025-41452 Danfoss AK-SM8xxA Series 安全漏洞 — AK-SM8xxA Series 5.3AIMediumAI2025-08-22
CVE-2025-8283 Red Hat Enterprise Linux 安全漏洞 3.7 Low2025-07-28
CVE-2025-27889 多款产品安全漏洞 — Wing FTP Server 3.4 Low2025-07-10
CVE-2025-30512 Growatt Cloud Applications 安全漏洞 — Cloud portal 6.5 Medium2025-04-15
CVE-2025-27253 GE Vernova UR IED 输入验证错误漏洞 — N60 multilin 6.1 Medium2025-03-10
CVE-2025-0425 Cordaware bestinformed 安全漏洞 — bestinformed Infoclient 8.8 -2025-02-18
CVE-2024-11166 Federal Aviation Administration TCAS 安全漏洞 — Collision Avoidance Systems 5.3 -2025-01-22
CVE-2024-39798 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14
CVE-2024-39800 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14
CVE-2024-39799 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14
CVE-2024-38666 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14
CVE-2024-39602 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14
CVE-2024-39795 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14

CWE-15(系统设置或配置在外部可控制) 是常见的弱点类别,本平台收录该类弱点关联的 55 条 CVE 漏洞。