目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-269 特权管理不恰当 类漏洞列表 1060

CWE-269 特权管理不恰当 类弱点 1060 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-269 属于权限管理不当漏洞,指产品未能正确分配、修改、跟踪或检查用户权限,导致攻击者获得非预期的控制范围。攻击者常利用此缺陷提升权限或越权访问敏感资源。开发者应实施最小权限原则,严格验证每次操作的身份与权限,确保权限分配、变更及撤销过程的安全性与完整性,从而防止未授权访问。

MITRE CWE 官方描述
CWE:CWE-269 权限管理不当 英文:产品未正确分配、修改、跟踪或检查某行为者(actor)的权限,从而为该行为者创建了一个非预期的控制范围。
常见影响 (1)
Access ControlGain Privileges or Assume Identity
缓解措施 (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
代码示例 (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2018-14787 Philips IntelliSpace Cardiovascular和Xcelera 安全漏洞 — IntelliSpace Cardiovascular (ISCV) products 7.8 -2018-08-22
CVE-2016-9489 ZOHO ManageEngine Applications Manager 信任管理漏洞 — Applications Manager 8.1 -2018-07-13
CVE-2018-8841 多款Advantech产品安全漏洞 — WebAccess 8.1 -2018-05-15
CVE-2017-0932 Ubiquiti Networks EdgeOS 安全漏洞 — EdgeRouter X 8.8 -2018-03-22
CVE-2017-0934 Ubiquiti Networks EdgeOS 安全漏洞 — EdgeRouter X 8.8 -2018-03-22
CVE-2017-0935 Ubiquiti Networks EdgeOS 安全漏洞 — EdgeRouter X 8.8 -2018-03-22
CVE-2017-12728 iniNet Solutions SpiderControl SCADA Web Server 安全漏洞 — SpiderControl SCADA Web Server 7.8 -2017-10-04
CVE-2017-9940 Siemens SiPass integrated 安全漏洞 — SiPass integrated All versions before V2.70 8.1 -2017-08-08
CVE-2017-7922 Cambium Networks ePMP 权限许可和访问控制问题漏洞 — Cambium Networks ePMP 7.6 -2017-06-21
CVE-2014-9193 Innominate mGuard 权限许可和访问控制漏洞 — mGuard 7.2 -2014-12-20

CWE-269(特权管理不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 1060 条 CVE 漏洞。