CWE-285 授权机制不恰当 类弱点 1059 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-285 属于权限控制缺陷,指系统在访问资源或执行操作时未正确执行授权检查。攻击者常通过篡改请求参数或绕过前端限制,以非授权身份访问敏感数据或执行特权操作。开发者应实施严格的基于角色的访问控制,在服务器端对所有请求进行细粒度权限验证,确保仅允许合法用户执行相应操作,从而杜绝越权风险。
function runEmployeeQuery($dbName, $name){ mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); //Use a prepared statement to avoid CWE-89 $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); return $preparedStatement->fetchAll(); } /.../ $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);sub DisplayPrivateMessage { my($id) = @_; my $Message = LookupMessageObject($id); print "From: " . encodeHTML($Message->{from}) . "<br>\n"; print "Subject: " . encodeHTML($Message->{subject}) . "\n"; print "<hr>\n"; print "Body: " . encodeHTML($Message->{body}) . "\n"; } my $q = new CGI; # For purposes of this example, assume that CWE-309 and # CWE-523 do not apply. if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("invalid username or password"); } my $id = $q->param('id'); DisplayPrivateMessage($id);| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2019-13528 | Niagara AX和Niagara 授权问题漏洞 — Niagara | 4.4 | - | 2019-09-24 |
| CVE-2019-13550 | Advantech WebAccess 授权问题漏洞 — WebAccess | 8.8 | - | 2019-09-18 |
| CVE-2019-12635 | Cisco Content Security Management Appliance 授权问题漏洞 — Cisco Content Security Management Appliance (SMA) | 5.4 | - | 2019-09-05 |
| CVE-2019-1907 | Cisco UCS C-Series、Cisco UCS S-Series Integrated Management Controller Software 授权问题漏洞 — Cisco Unified Computing System (Management Software) | 8.8 | - | 2019-08-21 |
| CVE-2019-1863 | Cisco Integrated Management Controller 授权问题漏洞 — Cisco Unified Computing System E-Series Software (UCSE) | 8.1 | - | 2019-08-21 |
| CVE-2019-13416 | floragunn Search Guard 授权问题漏洞 — Search Guard | 6.5 | - | 2019-08-13 |
| CVE-2019-1934 | Cisco Adaptive Security Appliances Software 安全漏洞 — Cisco Adaptive Security Appliance (ASA) Software | 8.8 | - | 2019-08-07 |
| CVE-2019-1912 | Cisco Small Business 220 Series Smart Switches 授权问题漏洞 — Cisco Small Business 220 Series Smart Plus Switches | 9.8 | - | 2019-08-07 |
| CVE-2019-2386 | Mongodb MongoDB Server 代码问题漏洞 — MongoDB Server | 7.1 | High | 2019-08-06 |
| CVE-2019-10154 | Moodle 访问控制错误漏洞 — moodle | 5.3 | - | 2019-06-26 |
| CVE-2019-1899 | Cisco RV110W、RV130W和RV215W 授权问题漏洞 — Cisco RV130W Wireless-N Multifunction VPN Router Firmware | 5.3 | - | 2019-06-20 |
| CVE-2019-1897 | Cisco RV110W、RV130W和RV215W 授权问题漏洞 — Cisco RV130W Wireless-N Multifunction VPN Router Firmware | 5.3 | - | 2019-06-20 |
| CVE-2019-1898 | Cisco RV110W、RV130W和RV215W 授权问题漏洞 — Cisco RV130W Wireless-N Multifunction VPN Router Firmware | 5.3 | - | 2019-06-20 |
| CVE-2019-10159 | cfme-gemset 授权问题漏洞 — cfme | 4.3 | - | 2019-06-14 |
| CVE-2019-6581 | Siemens Siveillance VMS 权限许可和访问控制问题漏洞 — Siveillance VMS 2017 R2 | 9.8 | - | 2019-06-12 |
| CVE-2019-6582 | Siemens Siveillance VMS 权限许可和访问控制问题漏洞 — Siveillance VMS 2017 R2 | 8.2 | - | 2019-06-12 |
| CVE-2019-1842 | Cisco IOS XR 授权问题漏洞 — Cisco IOS XR Software | 5.4 | - | 2019-06-05 |
| CVE-2019-1851 | Cisco Identity Services Engine 授权问题漏洞 — Cisco Identity Services Engine Software | 6.8 | - | 2019-05-16 |
| CVE-2019-1859 | 多款Cisco产品信任管理问题漏洞 — Cisco Small Business 200 Series Smart Switches | 9.8 | - | 2019-05-03 |
| CVE-2019-3842 | systemd 授权问题漏洞 — systemd | 7.0 | - | 2019-04-09 |
| CVE-2019-3849 | Moodle 权限许可和访问控制问题漏洞 — moodle | 8.8 | - | 2019-03-26 |
| CVE-2015-3954 | 多款Hospira产品安全漏洞 — Plum A+ Infusion System | 9.8 | - | 2019-03-25 |
| CVE-2019-3785 | Cloud Foundry Cloud Controller 授权问题漏洞 — CAPI | 8.1 | - | 2019-03-13 |
| CVE-2019-1603 | Cisco NX-OS Software 授权问题漏洞 — Nexus 3000 Series Switches | 7.8 | - | 2019-03-08 |
| CVE-2019-1604 | Cisco NX-OS Software 授权问题漏洞 — Nexus 7000 and 7700 Series Switches | 7.8 | - | 2019-03-08 |
| CVE-2018-9867 | SonicWall SonicOS 访问控制错误漏洞 — SonicOS | 5.5 | - | 2019-02-19 |
| CVE-2019-3820 | gnome-shell 授权问题漏洞 — gnome-shell | 4.3 | - | 2019-02-06 |
| CVE-2018-14666 | Foreman 安全漏洞 — Satellite | 8.1 | - | 2019-01-22 |
| CVE-2018-14662 | Red Hat Ceph 信息泄露漏洞 — ceph | 5.7 | - | 2019-01-15 |
| CVE-2018-15465 | Cisco Adaptive Security Appliances Software authorization子系统权限许可和访问控制漏洞 — Cisco Adaptive Security Appliance (ASA) Software | 8.1 | - | 2018-12-24 |
CWE-285(授权机制不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 1059 条 CVE 漏洞。