目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-267 特权定义了不安全动作 类漏洞列表 42

CWE-267 特权定义了不安全动作 类弱点 42 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-267 指权限定义不当漏洞,即赋予实体的权限包含未预期的危险操作。攻击者常利用此缺陷,通过合法身份执行非预期的高危动作,从而绕过安全控制并获取未授权访问。开发者应避免在权限模型中捆绑无关能力,遵循最小权限原则,确保每个角色仅拥有完成其任务所需的最小权限集,并严格审查权限与操作之间的映射关系。

MITRE CWE 官方描述
CWE:CWE-267 Privilege Defined With Unsafe Actions 英文:A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.
常见影响 (1)
Access ControlGain Privileges or Assume Identity
A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts.
缓解措施 (2)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and Design, OperationRun your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database ad…
代码示例 (1)
This code intends to allow only Administrators to print debug information about a system.
public enum Roles { ADMIN,USER,GUEST } public void printDebugInfo(User requestingUser){ if(isAuthenticated(requestingUser)){ switch(requestingUser.role){ case GUEST: System.out.println("You are not authorized to perform this command"); break; default: System.out.println(currentDebugState()); break; } } else{ System.out.println("You must be logged in to perform this command"); } }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-27314 Apache Cassandra 安全漏洞 — Apache Cassandra 8.8AIHighAI2026-04-07
CVE-2026-2460 Hitachi Energy Relion REB500 安全漏洞 — Relion REB500 7.3 -2026-02-24
CVE-2026-2459 Hitachi Energy Relion REB500 安全漏洞 — Relion REB500 7.1 -2026-02-24
CVE-2025-14349 Universal FlexCity/Kiosk 访问控制错误漏洞 — FlexCity/Kiosk 8.8 High2026-02-13
CVE-2026-0945 Drupal Role Delegation 安全漏洞 — Role Delegation 8.8AIHighAI2026-02-04
CVE-2025-13979 Drupal Mini site 安全漏洞 — Mini site 5.4AIMediumAI2026-01-28
CVE-2026-23526 CVAT.ai CVAT 安全漏洞 — cvat 6.5AIMediumAI2026-01-21
CVE-2025-53900 Kiteworks Mft 安全漏洞 — security-advisories 6.5 Medium2025-11-29
CVE-2025-41244 VMware Tools和VMware Aria Operations 安全漏洞 — VCF operations 7.8 High2025-09-29
CVE-2025-7691 GitLab Enterprise Edition 安全漏洞 — GitLab 6.5 Medium2025-09-26
CVE-2025-26467 Apache Cassandra 安全漏洞 — Apache Cassandra 8.8 -2025-08-25
CVE-2025-47811 Wing FTP Server 安全漏洞 — Wing FTP Server 4.1 Medium2025-07-10
CVE-2025-7030 Drupal Two-factor Authentication 安全漏洞 — Two-factor Authentication (TFA) 8.1AIHighAI2025-07-08
CVE-2025-23015 Apache Cassandra 安全漏洞 — Apache Cassandra 8.8 -2025-02-04
CVE-2024-7571 Ivanti Secure Access Client 安全漏洞 — Secure Access Client 7.8 High2024-11-12
CVE-2024-8539 Ivanti Secure Access Client 安全漏洞 — Secure Access Client 7.1 High2024-11-12
CVE-2024-47906 Ivanti Connect Secure 安全漏洞 — Connect Secure 7.8 High2024-11-12
CVE-2024-8631 GitLab 安全漏洞 — GitLab 5.5 Medium2024-09-12
CVE-2024-20411 Cisco NX-OS Software 安全漏洞 — Cisco NX-OS Software 6.7 Medium2024-08-28
CVE-2024-42365 Asterisk 安全漏洞 — asterisk 7.4 High2024-08-08
CVE-2024-39866 Siemens SINEMA Remote Connect 安全漏洞 — SINEMA Remote Connect Server 8.8 High2024-07-09
CVE-2023-28049 Dell Command | Monitor 安全漏洞 — Dell Command Monitor (DCM) 4.7 Medium2024-02-06
CVE-2023-41966 Sielco Analog FM Transmitters 安全漏洞 — Analog FM transmitter 6.5 Medium2023-10-26
CVE-2023-43746 F5 BIG-IP 安全漏洞 — BIG-IP 8.7 High2023-10-10
CVE-2023-44218 SonicWALL NetExtender 安全漏洞 — NetExtender 8.8 High2023-10-03
CVE-2023-32457 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 7.5 High2023-08-29
CVE-2023-22647 Rancher Labs Rancher 安全漏洞 — Rancher 9.9 Critical2023-06-01
CVE-2023-2983 Pimcore 安全漏洞 — pimcore/pimcore 8.8 -2023-05-30
CVE-2021-44547 Odoo 安全漏洞 — Odoo Community 7.2 -2023-04-25
CVE-2021-23186 Odoo 安全漏洞 — Odoo Community 6.5 -2023-04-25

CWE-267(特权定义了不安全动作) 是常见的弱点类别,本平台收录该类弱点关联的 42 条 CVE 漏洞。