Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-184 (不完整的黑名单) — Vulnerability Class 86

86 vulnerabilities classified as CWE-184 (不完整的黑名单). AI Chinese analysis included.

CWE-184 represents a critical input validation weakness where an application relies on a blacklist of prohibited inputs that fails to cover all malicious variations. This approach is inherently fragile because attackers can easily bypass incomplete lists using encoding techniques, alternative syntax, or edge cases not anticipated by the developer. Exploitation typically occurs when an adversary submits crafted payloads that evade the restricted set, allowing unauthorized commands, code execution, or data injection to proceed unchecked. To mitigate this risk, developers should abandon blacklisting in favor of whitelisting, which permits only explicitly verified and safe inputs. Additionally, implementing robust input sanitization and normalization processes ensures that diverse attack vectors are neutralized before processing, thereby closing the gaps left by incomplete disallowed lists and significantly strengthening the application’s security posture against injection-based threats.

MITRE CWE Description
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Common Consequences (1)
Access ControlBypass Protection Mechanism
Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.
Mitigations (1)
ImplementationDo not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as …
Examples (2)
The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string.
public String removeScriptTags(String input, String mask) { return input.replaceAll("script", mask); }
Bad · Java
This example takes user input, passes it through an encoding scheme, then lists the contents of the user's home directory based on the user name.
sub GetUntrustedInput { return($ARGV[0]); } sub encode { my($str) = @_; $str =~ s/\&/\&amp;/gs; $str =~ s/\"/\&quot;/gs; $str =~ s/\'/\&apos;/gs; $str =~ s/\</\&lt;/gs; $str =~ s/\>/\&gt;/gs; return($str); } sub doit { my $uname = encode(GetUntrustedInput("username")); print "<b>Welcome, $uname!</b><p>\n"; system("cd /home/$uname; /bin/ls -l"); }
Bad · Perl
' pwd
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2023-3374 Privilege Escalation in Bookreen — Bookreen 9.8 Critical2023-09-05
CVE-2023-40037 Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs — Apache NiFi 8.1 -2023-08-18
CVE-2023-23844 SolarWinds Platform Incomplete List of Disallowed Inputs Vulnerability — SolarWinds Platform 7.2 High2023-07-26
CVE-2023-34253 Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass — grav 8.8 High2023-06-14
CVE-2023-34252 Grav Server-side Template Injection via Insufficient Validation in filterFilter — grav 8.8 High2023-06-14
CVE-2023-2017 Improper Control of Generation of Code in Twig Rendered Views in Shopware — Shopware 6 8.8 High2023-04-17
CVE-2022-34888 Lenovo XClarity Controller 安全漏洞 — Lenovo XClarity Controller 2.7 Low2023-01-30
CVE-2022-32763 Lansweeper 跨站脚本漏洞 — lansweeper 5.4 -2022-12-19
CVE-2022-35962 Crafted link in Zulip message can cause disclosure of credentials — zulip-mobile 8.0 High2022-08-29
CVE-2022-38179 JetBrains Ktor framework 安全漏洞 — Ktor 4.7 Medium2022-08-12
CVE-2021-31370 Junos OS: QFX5000 Series and EX4600 Series: Control traffic might be dropped if a high rate of specific multicast traffic is received — Junos OS 6.5 Medium2021-10-19
CVE-2021-25737 Holes in EndpointSlice Validation Enable Host Network Hijack — Kubernetes 2.7 Low2021-09-06
CVE-2021-25631 denylist of executable filename extensions possible to bypass under windows — LibreOffice 8.8 -2021-05-03
CVE-2020-14372 grub2 安全漏洞 — grub2 8.2 -2021-03-03
CVE-2021-1135 Cisco Data Center Network Manager REST API Vulnerabilities — Cisco Data Center Network Manager 4.6 Medium2021-01-20
CVE-2021-1255 Cisco Data Center Network Manager REST API Vulnerabilities — Cisco Data Center Network Manager 4.6 Medium2021-01-20
CVE-2021-1133 Cisco Data Center Network Manager REST API Vulnerabilities — Cisco Data Center Network Manager 4.6 Medium2021-01-20
CVE-2020-3384 Cisco Data Center Network Manager Command Injection Vulnerability — Cisco Data Center Network Manager 8.2 High2020-07-31
CVE-2020-5253 Privilege escalation in NetHack — NetHack 3.9 Low2020-03-10
CVE-2018-16863 Red Hat Enterprise Linux 7 操作系统命令注入漏洞 — ghostscript 7.8 -2018-12-03
CVE-2016-7076 Sudo 命令注入漏洞 — sudo 7.8 -2018-05-29
CVE-2017-2602 CloudBees Jenkins 安全漏洞 — jenkins 4.3 -2018-05-15
CVE-2017-7525 FasterXML Jackson 代码问题漏洞 — jackson-databind 9.8 -2018-02-06
CVE-2017-15095 FasterXML Jackson-databind 代码问题漏洞 — jackson-databind 9.8 -2018-02-06
CVE-2017-0909 private_address_check ruby gem 安全漏洞 — private_address_check ruby gem 9.8 -2017-11-16
CVE-2017-7540 Foreman 安全漏洞 — rubygem-safemode 9.8 -2017-07-21

Vulnerabilities classified as CWE-184 (不完整的黑名单) represent 86 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.