目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-27 路径遍历:’dir/../../filename’ 类漏洞列表 18

CWE-27 路径遍历:’dir/../../filename’ 类弱点 18 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-27 属于路径遍历漏洞,指程序未正确过滤外部输入中的“../”序列,导致解析出的文件路径超出预期受限目录。攻击者利用此缺陷构造恶意路径,读取或执行系统敏感文件。开发者应避免直接使用用户输入拼接路径,需实施严格的输入验证,对特殊字符进行转义或白名单过滤,并限制文件访问权限,从而有效阻断非法路径访问。

MITRE CWE 官方描述
CWE:CWE-27 路径遍历 (Path Traversal):'dir/../../filename' 英文:该产品使用外部输入来构建一个预期位于受限目录内的路径名,但它未能正确消除多个内部 "../" 序列,这些序列可能被解析为超出该目录范围的位置。 这允许攻击者遍历文件系统,以访问受限目录之外的文件或目录。'directory/../../filename' 这种操纵手法可用于绕过某些路径遍历保护方案。有时程序仅移除一个 "../" 序列,因此多个 "../" 可以绕过该检查。或者,这种操纵手法也可用于绕过对路径名开头处 "../" 的检查,从而向上移动超过一个目录层级。
常见影响 (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
缓解措施 (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE ID标题CVSS风险等级Published
CVE-2026-20018 Cisco Secure Firewall Management Center和Cisco Secure Firewall Threat Defense 安全漏洞 — Cisco Secure Firewall Management Center (FMC) 5.9 Medium2026-03-04
CVE-2025-66518 Apache Kyuubi 安全漏洞 — Apache Kyuubi 8.1 -2026-01-05
CVE-2025-58292 Huawei HarmonyOS 安全漏洞 — HarmonyOS 3.3 Low2025-10-11
CVE-2025-10438 Yordam Katalog 安全漏洞 — Yordam Katalog 8.6 High2025-09-25
CVE-2025-58761 Tautulli 安全漏洞 — Tautulli 8.6 High2025-09-09
CVE-2024-43658 iocharger 安全漏洞 — Iocharger firmware for AC models 8.1 -2025-01-09
CVE-2023-20090 Cisco RoomOS Software和Cisco TelePresence Collaboration Endpoint Software 安全漏洞 — Cisco RoomOS Software 6.7 Medium2024-11-15
CVE-2024-7458 ELADMIN 安全漏洞 — eladmin 5.5 Medium2024-08-04
CVE-2024-24809 Traccar 安全漏洞 — traccar 8.5 High2024-04-10
CVE-2024-20348 Cisco Nexus Dashboard 安全漏洞 — Cisco Data Center Network Manager 7.5 High2024-04-03
CVE-2023-50254 deepin-reader 安全漏洞 — developer-center 9.3 Critical2023-12-22
CVE-2023-34125 SonicWall GMS and Analytics 路径遍历漏洞 — GMS 6.5 -2023-07-13
CVE-2023-20131 Cisco Prime Infrastructure和Cisco Evolved Programmable Network Manager 跨站脚本漏洞 — Cisco Prime Infrastructure 6.5 Medium2023-04-05
CVE-2023-20130 Cisco Prime Infrastructure 跨站请求伪造漏洞 — Cisco Prime Infrastructure 6.5 Medium2023-04-05
CVE-2023-20129 Cisco Prime Infrastructure 路径遍历漏洞 — Cisco Prime Infrastructure 6.5 Medium2023-04-05
CVE-2023-20127 Cisco Prime Infrastructure 安全漏洞 — Cisco Prime Infrastructure 6.5 Medium2023-04-05
CVE-2023-27588 Hasura GraphQL Engine 路径遍历漏洞 — graphql-engine 7.5 High2023-03-14
CVE-2021-35027 Zyxel VPN2S 路径遍历漏洞 — ZyWALL VPN2S Firmware 7.5 High2021-09-29

CWE-27(路径遍历:’dir/../../filename’) 是常见的弱点类别,本平台收录该类弱点关联的 18 条 CVE 漏洞。