目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-179 不正确的行为次序:过早验证 类漏洞列表 4

CWE-179 不正确的行为次序:过早验证 类弱点 4 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-179属于逻辑顺序缺陷,指产品在应用净化或规范化机制前过早验证输入。攻击者常利用此漏洞,通过构造特殊输入绕过早期检查,使恶意载荷在后续处理中生效。开发者应确保验证逻辑置于数据规范化与清洗之后,遵循“先处理、后验证”原则,以消除因顺序颠倒导致的安全绕过风险,保障输入数据的完整性与安全性。

MITRE CWE 官方描述
CWE:CWE-179 不正确的行为顺序:过早验证(Early Validation) 英文:产品在应用修改输入的防护机制之前验证输入,这可能导致攻击者通过仅在修改后才会出现的危险输入绕过验证。 产品需要在正确的时间验证数据,即在数据经过规范化(canonicalized)和清理(cleansed)之后。过早验证容易受到各种操纵的影响,从而导致由规范化和清理产生的危险输入。
常见影响 (1)
Access Control, IntegrityBypass Protection Mechanism, Execute Unauthorized Code or Commands
An attacker could include dangerous input that bypasses validation protection mechanisms which can be used to launch various attacks including injection attacks, execute arbitrary code or cause other unintended behavior.
缓解措施 (1)
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
代码示例 (2)
The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".
String path = getInputPath(); if (path.startsWith("/safe_dir/")) { File f = new File(path); return f.getCanonicalPath(); }
Bad · Java
String path = getInputPath(); File f = new File(path); if (f.getCanonicalPath().startsWith("/safe_dir/")) { return f.getCanonicalPath(); }
Good · Java
This script creates a subdirectory within a user directory and sets the user as the owner.
function createDir($userName,$dirName){ $userDir = '/users/'. $userName; if(strpos($dirName,'..') !== false){ echo 'Directory name contains invalid sequence'; return; } //filter out '~' because other scripts identify user directories by this prefix $dirName = str_replace('~','',$dirName); $newDir = $userDir . $dirName; mkdir($newDir, 0700); chown($newDir,$userName); }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2026-3832 GnuTLS 安全漏洞 3.7 Low2026-04-30
CVE-2025-4759 lockfile linting 安全漏洞 — lockfile-lint-api 8.3 High2025-05-16
CVE-2024-41686 SyroTech SY-GPON-1110-WDONT 安全漏洞 — SyroTech SY-GPON-1110-WDONT router 7.1 -2024-07-26
CVE-2022-1271 GNU Gzip 输入验证错误漏洞 — gzip, xz-utils 8.0 -2022-08-31

CWE-179(不正确的行为次序:过早验证) 是常见的弱点类别,本平台收录该类弱点关联的 4 条 CVE 漏洞。