2 vulnerabilities classified as CWE-344 (在动态变化上下文中使用不变值). AI Chinese analysis included.
CWE-344 represents a configuration weakness where a product relies on a constant value, name, or reference that fails to adapt across varying environments. This flaw typically arises when developers hardcode assumptions about network addresses, file paths, or system identifiers, assuming a static infrastructure. Attackers exploit this by manipulating the execution context or environment variables to trigger unexpected behavior, such as accessing unintended resources or bypassing security controls. For instance, a service hardcoded to listen on localhost may inadvertently expose itself if the environment changes, allowing remote exploitation. To prevent this, developers must implement dynamic configuration management, ensuring that critical values are derived from environment-specific settings rather than being statically defined. Rigorous testing across diverse deployment scenarios further helps identify and rectify these invariant dependencies before production release.
int VerifyAdmin(char *password) { if (strcmp(password, "Mew!")) { printf("Incorrect Password!\n"); return(0) } printf("Entering Diagnostic Mode...\n"); return(1); }int VerifyAdmin(String password) { if (!password.equals("Mew!")) { return(0) } //Diagnostic Mode return(1); }int (*pt2Function) (float, char, char)=0x08040000; int result2 = (*pt2Function) (12, 'a', 'b'); // Here we can inject code to execute.| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2023-22746 | CKAN is vulnerable to session secret shared across instances using Docker images — ckan | 8.6 | High | 2023-02-03 |
| CVE-2022-36022 | Some Deeplearning4J packages use unclaimed s3 bucket in tests and examples — deeplearning4j | 5.3 | Medium | 2022-11-10 |
Vulnerabilities classified as CWE-344 (在动态变化上下文中使用不变值) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.