目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1000 CNY

100.0%
コーヒーを一杯おごる

CWE-252 未加检查的返回值 类漏洞列表 59

CWE-252 未加检查的返回值 类弱点 59 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-252 属于未检查返回值漏洞,指程序忽略函数或方法的返回状态,导致无法识别异常条件。攻击者常通过构造输入迫使函数失败,利用开发者“调用必成功”的错误假设,使程序进入非预期状态或执行错误逻辑。开发者应在每次调用可能失败的函数后,严格验证返回值,确保仅在成功时继续执行后续逻辑,从而提升系统鲁棒性。

MITRE CWE 官方描述
CWE:CWE-252 Unchecked Return Value(未检查返回值) 英文:The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. 译文:产品未检查方法或函数的返回值,这可能导致其无法检测到意外状态和条件。 Two common programmer assumptions are "this function call can never fail" and "it doesn't matter if this function call fails". If an attacker can force the function to fail or otherwise return a value that is not expected, then the subsequent program logic could lead to a vulnerability, because the product is not in a state that the programmer assumes. For example, if the program calls a function to drop privileges but does not check the return code to ensure that privileges were successfully dropped, then the program will continue to operate with the higher privileges. 译文:程序员常见的两种假设是“此函数调用绝不会失败”以及“此函数调用失败也无所谓”。如果攻击者能够强制函数失败,或以非预期方式返回一个值,那么后续的程序逻辑可能会导致漏洞,因为产品并未处于程序员所假设的状态。例如,如果程序调用一个函数来降低权限,但未检查返回码以确保权限已成功降低,则程序将继续以较高权限运行。
常见影响 (1)
Availability, IntegrityUnexpected State, DoS: Crash, Exit, or Restart
An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors.
缓解措施 (4)
ImplementationCheck the results of all functions that return a value and verify that the value is expected.
Effectiveness: High
ImplementationFor any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
ImplementationEnsure that you account for all possible return values from the function.
ImplementationWhen designing a function, make sure you return a value or throw an exception in case of an error.
代码示例 (2)
Consider the following code segment:
char buf[10], cp_buf[10]; fgets(buf, 10, stdin); strcpy(cp_buf, buf);
Bad · C
In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed:
int returnChunkSize(void *) { /* if chunk info is valid, return the size of usable memory, * else, return -1 to indicate an error */ ... } int main() { ... memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1)); ... }
Bad · C
CVE IDタイトルCVSS深刻度公開日
CVE-2024-39558 Junos OS and Junos OS Evolved: Receipt of specific PIM packet causes rpd crash when PIM is configured along with MoFRR — Junos OS 6.5 Medium2024-07-10
CVE-2024-37039 Schneider Electric SAGE RTUs 安全漏洞 — Sage 1410 5.9 Medium2024-06-12
CVE-2023-50359 QTS, QuTS hero — QTS 3.4 Low2024-02-02
CVE-2023-6918 Libssh: missing checks for return values for digests — Red Hat Enterprise Linux 8 3.7 Low2023-12-18
CVE-2023-44322 Siemens 多款产品 安全漏洞 — RUGGEDCOM RM1224 LTE(4G) EU 3.7 Low2023-11-14
CVE-2023-44182 Junos OS and Junos OS Evolved: An Unchecked Return Value in multiple users interfaces affects confidentiality and integrity of device operations — Junos OS 7.3 High2023-10-12
CVE-2023-4162 Segmentation fault in Brocade Fabric OS after Brocade Fabric OS v9.0 — Fabric OS 4.4 Medium2023-08-31
CVE-2023-37902 Vyper's ecrecover can return undefined data if signature does not verify — vyper 5.3 Medium2023-07-25
CVE-2023-3247 Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP — PHP 2.6 Low2023-07-22
CVE-2020-8934 Site Kit by Google plugin for WordPress — Site Kit By Google 4.3 Medium2023-07-07
CVE-2023-3013 Unchecked Return Value in gpac/gpac — gpac/gpac 6.1 -2023-05-31
CVE-2023-24825 RIOT-OS vulnerable to NULL pointer dereference in gnrc_pktbuf_mark — RIOT 7.5 High2023-05-30
CVE-2022-43765 DoS in APROLs Tbase server — B&R APROL 7.5 High2023-02-08
CVE-2022-43763 Lack of checking preconditions in APROL — B&R APROL 7.5 High2023-02-08
CVE-2022-3108 Linux kernel 安全漏洞 — Kernel 5.5 -2022-12-14
CVE-2022-23476 Unchecked return value from xmlTextReaderExpand in Nokogiri — nokogiri 7.5 High2022-12-08
CVE-2022-31225 Dell BIOS 安全漏洞 — CPG BIOS 3.0 Low2022-09-12
CVE-2022-1319 Red Hat Undertow 安全漏洞 — undertow 7.5 -2022-08-31
CVE-2022-0485 libnbd 代码问题漏洞 — libnbd 6.5 -2022-08-29
CVE-2021-3659 Linux kernel 代码问题漏洞 — Kernel 5.5 -2022-08-22
CVE-2021-41041 Eclipse OpenJ9 安全漏洞 — Eclipse OpenJ9 5.3 -2022-04-27
CVE-2021-42780 OpenSC 安全漏洞 — opensc 5.3 -2022-04-18
CVE-2021-40401 Gerbv 资源管理错误漏洞 — Gerbv 8.8 -2022-02-04
CVE-2021-34585 CODESYS V2 web server: crafted requests could trigger a pointer dereference with an invalid address (DoS) — CODESYS V2 7.5 High2021-10-26
CVE-2021-31366 Junos OS: MX Series: In subscriber management / BBE configuration authd can crash if a subscriber with a specific username tries to login leading to a DoS — Junos OS 6.5 Medium2021-10-19
CVE-2021-37625 Incorrect Check of Function Return Value in Skytable — skytable 7.5 High2021-08-05
CVE-2020-17533 Apache Accumulo Improper Handling of Insufficient Permissions — Apache Accumulo 8.1 -2020-12-29
CVE-2020-6152 Accusoft ImageGear 缓冲区错误漏洞 — Accusoft 8.8 -2020-09-01
CVE-2018-14622 libtirpc 安全漏洞 — libtirpc 7.5 -2018-08-30

CWE-252(未加检查的返回值) 是常见的弱点类别,本平台收录该类弱点关联的 59 条 CVE 漏洞。