CWE-280 不充分权限或特权的处理不恰当类漏洞列表 122

CWE-280 不充分权限或特权的处理不恰当类弱点 122 条 CVE 漏洞汇总，含 AI 中文分析。

CWE-280属于权限处理缺陷，指程序未正确应对权限不足的情况，导致进入意外代码路径并可能引发状态异常。攻击者常通过构造低权限请求或篡改身份凭证，触发程序逻辑错误以获取未授权访问或造成服务中断。开发者应实施严格的权限校验机制，确保在权限不足时执行安全的默认拒绝策略，并记录相关日志以便审计，从而防止因权限判断失误导致的安全风险。

MITRE CWE 官方描述

CWE：CWE-280 处理权限或特权不足不当英文：当产品因权限不足而无法访问资源或功能时，未能正确处理或错误地处理了这种情况。这可能导致其遵循非预期的代码路径，从而使产品处于无效状态。

常见影响 (1)

OtherOther, Alter Execution Logic

缓解措施 (2)

Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…

ImplementationAlways check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can …

CVE ID	标题	CVSS	风险等级	Published
CVE-2019-6570	Siemens SINEMA Remote Connect Server 权限许可和访问控制问题漏洞 — SINEMA Remote Connect Server	8.1	-	2019-04-17
CVE-2012-4550	JBoss Enterprise Application Platform 安全漏洞 — Red Hat JBoss Enterprise Application Platform 6.0	5.3	Medium	2013-01-05

CWE-280（不充分权限或特权的处理不恰当）是常见的弱点类别，本平台收录该类弱点关联的 122 条 CVE 漏洞。

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

CWE-280 不充分权限或特权的处理不恰当 类漏洞列表 122

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

CWE-280 不充分权限或特权的处理不恰当类漏洞列表 122