目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-158 空字节或NULL字符转义处理不恰当 类漏洞列表 21

CWE-158 空字节或NULL字符转义处理不恰当 类弱点 21 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-158 属于输入验证缺陷,指程序未正确处理或过滤输入中的空字节(NUL)。攻击者通过注入空字节,利用底层语言(如 C/C++)以空字符作为字符串终止符的特性,截断预期输入或改变数据解析逻辑,从而绕过安全限制或引发缓冲区溢出。开发者应严格实施输入验证,拒绝包含空字节的非法输入,或在处理前显式移除、转义空字符,确保数据在组件间传递时的完整性与正确解析。

MITRE CWE 官方描述
CWE:CWE-158 未正确处理空字节或NUL字符 英文:产品从上游组件接收输入,但在将NUL字符或空字节发送给下游组件时,未对其进行中和或中和不正确。 在解析数据时,注入的NUL字符或空字节可能导致产品认为输入在其实际结束位置之前就已终止,或以其他方式导致输入被错误解释。这可用于注入潜在的危险输入(该输入位于空字节之后),或绕过验证例程及其他保护机制。
常见影响 (1)
IntegrityUnexpected State
缓解措施 (3)
Developers should anticipate that null characters or null bytes will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE ID标题CVSS风险等级Published
CVE-2026-43861 Mutt低于2.3.2版本url_pct_decode未检查空字符漏洞 — mutt 3.7 Low2026-05-04
CVE-2026-43859 Mutt 2.3.2前版本IMAP认证内存拷贝漏洞 — mutt 3.7 Low2026-05-04
CVE-2026-33191 free5GC 安全漏洞 — free5gc 7.5 -2026-03-20
CVE-2026-4359 MongoDB C Driver 安全漏洞 — MongoDB C Driver 2.0 Low2026-03-17
CVE-2026-28540 Huawei HarmonyOS 缓冲区错误漏洞 — HarmonyOS 4.0 Medium2026-03-05
CVE-2025-14388 WordPress plugin PhastPress 安全漏洞 — PhastPress 9.8 Critical2025-12-23
CVE-2025-66263 DB Electronica Mozart FM Transmitter 安全漏洞 — Mozart FM Transmitter 7.5AIHighAI2025-11-26
CVE-2025-61985 OpenSSH 安全漏洞 — OpenSSH 3.6 Low2025-10-06
CVE-2025-9648 CivetWeb 安全漏洞 — CivetWeb 7.5 -2025-09-29
CVE-2025-55113 BMC Control-M 安全漏洞 — Control-M/Agent 9.0 Critical2025-09-16
CVE-2025-47812 Wing FTP Server 7.4.3及 安全漏洞 — Wing FTP Server 10.0 Critical2025-07-10
CVE-2024-10921 MongoDB 安全漏洞 — MongoDB Server 6.8 Medium2024-11-14
CVE-2024-9026 PHP 安全漏洞 — PHP 3.3 Low2024-10-08
CVE-2024-0408 X.org Server 安全漏洞 5.5 Medium2024-01-18
CVE-2023-5719 Red Lion Controls Crimson 安全漏洞 — Crimson 8.8 High2023-11-06
CVE-2022-31223 Dell BIOS 安全漏洞 — CPG BIOS 2.3 Low2022-09-12
CVE-2022-20813 Cisco Expressway Series 和 Cisco TelePresence Video Communication Server 信任管理问题漏洞 — Cisco TelePresence Video Communication Server (VCS) Expressway 9.0 Critical2022-07-06
CVE-2022-20812 Cisco Expressway Series 和 Cisco TelePresence Video Communication Server 路径遍历漏洞 — Cisco TelePresence Video Communication Server (VCS) Expressway 9.0 Critical2022-07-06
CVE-2020-7928 Mongodb Server 安全漏洞 — MongoDB Server 6.5 Medium2020-11-23
CVE-2020-14500 Secomea GateManager 代码问题漏洞 — Secomea GateManager all versions prior to 9.2c 10.0 Critical2020-08-25
CVE-2020-5363 多款Dell产品安全漏洞 — Dell Client Consumer and Commercial platforms 8.6 High2020-06-10

CWE-158(空字节或NULL字符转义处理不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 21 条 CVE 漏洞。