目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-178 大小写敏感处理不恰当 类漏洞列表 24

CWE-178 大小写敏感处理不恰当 类弱点 24 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-178 属于因未正确处理大小写敏感性而导致的逻辑漏洞。攻击者常利用大小写差异绕过访问控制或过滤机制,例如通过混合大小写字符规避黑名单,或利用不区分大小写的密码校验降低暴力破解难度。开发者应避免在关键逻辑中忽略大小写差异,对敏感资源访问、身份验证及输入过滤实施严格的大小写敏感校验,确保系统行为的一致性与安全性。

MITRE CWE 官方描述
CWE:CWE-178 处理大小写敏感性不当 英文:产品在访问或确定资源属性时,未正确处理大小写敏感性差异,导致结果不一致。 处理不当的大小写敏感数据可能导致多种后果,包括:不区分大小写的密码会减小密钥空间(key space),使暴力破解(brute force attacks)更容易;使用替代名称绕过过滤器或访问控制;以及使用替代名称导致的多种解释错误。
常见影响 (1)
Access ControlBypass Protection Mechanism
缓解措施 (3)
Architecture and DesignAvoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
代码示例 (1)
In the following example, an XSS neutralization method intends to replace script tags in user-supplied input with a safe equivalent:
public String preventXSS(String input, String mask) { return input.replaceAll("script", mask); }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-3833 GnuTLS 策略绕过漏洞 6.5 Medium2026-04-30
CVE-2026-40453 Apache Camel 安全漏洞 — Apache Camel JMS 9.8AICriticalAI2026-04-27
CVE-2026-22665 prompts.chat 安全漏洞 — prompts.chat 8.1 High2026-04-03
CVE-2026-33691 OWASP CRS 安全漏洞 — coreruleset 6.8 Medium2026-04-02
CVE-2026-3532 Drupal OpenID Connect / OAuth client 安全漏洞 — OpenID Connect / OAuth client 8.8AIHighAI2026-03-26
CVE-2026-32939 DataEase 安全漏洞 — dataease 9.1 -2026-03-20
CVE-2026-29054 Traefik 安全漏洞 — traefik 7.5 High2026-03-05
CVE-2026-27896 MCP Go SDK 安全漏洞 — go-sdk 9.1AICriticalAI2026-02-26
CVE-2026-27588 Caddy 安全漏洞 — caddy 9.1 -2026-02-24
CVE-2026-27587 Caddy 安全漏洞 — caddy 9.1 -2026-02-24
CVE-2026-25889 File Browser 安全漏洞 — filebrowser 5.4 Medium2026-02-09
CVE-2025-67718 Form.io 信息泄露漏洞 — formio 7.5AIHighAI2025-12-11
CVE-2025-59944 Cursor 安全漏洞 — cursor 8.1 High2025-10-03
CVE-2025-61593 Cursor 安全漏洞 — cursor 7.1 High2025-10-03
CVE-2025-46701 Apache Tomcat 安全漏洞 — Apache Tomcat 9.1AICriticalAI2025-05-29
CVE-2025-4035 libsoup 安全漏洞 — Red Hat Enterprise Linux 10 4.3 Medium2025-04-29
CVE-2024-6866 Flask-CORS 安全漏洞 — corydolphin/flask-cors 7.5 -2025-03-20
CVE-2024-55634 Drupal core 安全漏洞 — Drupal Core 8.8 -2024-12-09
CVE-2024-38829 VMware Tanzu Spring LDAP 安全漏洞 — Spring LDAP 3.7 Low2024-12-04
CVE-2024-32879 Python Social Auth 安全漏洞 — social-app-django 4.9 Medium2024-04-24
CVE-2024-23331 Vite 安全漏洞 — vite 7.5 High2024-01-19
CVE-2023-3545 Chamilo LMS 安全漏洞 — Chamilo 9.8 Critical2023-11-28
CVE-2021-39155 Istio 安全漏洞 — istio 8.3 High2021-08-24
CVE-2021-24347 WordPress 代码注入漏洞 — SP Project & Document Manager 8.8 -2021-06-14

CWE-178(大小写敏感处理不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 24 条 CVE 漏洞。