目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-15 系统设置或配置在外部可控制 类漏洞列表 55

CWE-15 系统设置或配置在外部可控制 类弱点 55 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-15 指外部控制系统或配置设置的漏洞,属于配置管理缺陷。攻击者通常通过篡改环境变量、注册表或配置文件,诱导系统执行非预期行为或导致服务中断。开发者应避免直接信任用户输入,采用白名单验证机制限制可配置项,并在代码中硬编码关键安全参数,同时实施严格的权限控制,防止未授权修改。

MITRE CWE 官方描述
CWE:CWE-15 External Control of System or Configuration Setting 英文:One or more system settings or configuration elements can be externally controlled by a user. 允许外部控制系统设置可能会破坏服务,或导致应用程序以不可预知且潜在恶意的方式运行。
常见影响 (1)
OtherVaries by Context
缓解措施 (3)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Implementation, Architecture and DesignBecause setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.
Implementation, Architecture and DesignIn general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.
代码示例 (2)
The following C code accepts a number as one of its command line parameters and sets it as the host ID of the current machine.
... sethostid(argv[1]); ...
Bad · C
The following Java code snippet reads a string from an HttpServletRequest and sets it as the active catalog for a database Connection.
... conn.setCatalog(request.getParameter("catalog")); ...
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2024-39794 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14
CVE-2024-39793 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14
CVE-2024-39280 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14
CVE-2024-39788 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14
CVE-2024-39789 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14
CVE-2024-39790 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.1 Critical2025-01-14
CVE-2024-54097 Huawei EMUI和Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.3 High2024-12-12
CVE-2024-51544 ABB ASPECT 安全漏洞 — ASPECT-Enterprise 8.2 High2024-12-05
CVE-2024-51543 ABB ASPECT 安全漏洞 — ASPECT-Enterprise 8.2 High2024-12-05
CVE-2024-50358 Advantech EKI-6333AC-2G和Advantech EKI-6333AC-2GD 安全漏洞 — EKI-6333AC-2G 7.2 High2024-11-26
CVE-2024-10979 PostgreSQL 安全漏洞 — PostgreSQL 8.8 High2024-11-14
CVE-2024-21583 Gitpod 安全漏洞 — github.com/gitpod-io/gitpod/components/server/go/pkg/lib 4.1 Medium2024-07-19
CVE-2024-4326 LoLLMs 安全漏洞 — parisneo/lollms-webui 9.8AICriticalAI2024-05-16
CVE-2023-6154 Bitdefender 多款产品安全漏洞 — Total Security 7.8 High2024-04-01
CVE-2024-23639 Micronaut Framework 安全漏洞 — micronaut-core 5.1 Medium2024-02-09
CVE-2023-50252 php-svg-lib 其他漏洞 — php-svg-lib 8.3 High2023-12-12
CVE-2023-46248 Cody 安全漏洞 — cody 9.1 Critical2023-10-31
CVE-2023-4704 icms 安全漏洞 — instantsoft/icms2 9.4 -2023-09-01
CVE-2023-3321 ABB Abilit zenon 安全漏洞 — ABB Ability™ zenon 7.0 High2023-07-24
CVE-2023-32349 Teltonika RUT router 安全漏洞 — RUT model routers 8.0 High2023-05-22
CVE-2023-32076 in-toto 安全漏洞 — in-toto 5.5 Medium2023-05-10
CVE-2021-27406 OpenVPN 安全漏洞 — OpenVPN-Client 8.8 High2022-10-14
CVE-2021-38453 AUVESY Versiondog 安全漏洞 — Versiondog 9.1 Critical2021-10-22
CVE-2021-31338 SINEMA Remote Connect Server 安全漏洞 — SINEMA Remote Connect Client 7.8 -2021-08-19
CVE-2021-3707 D-Link DSL-2750U安全漏洞 — DSL-2750U 7.1 -2021-08-16

CWE-15(系统设置或配置在外部可控制) 是常见的弱点类别,本平台收录该类弱点关联的 55 条 CVE 漏洞。