目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-37 路径遍历:’/absolute/pathname/here’ 类漏洞列表 6

CWE-37 路径遍历:’/absolute/pathname/here’ 类弱点 6 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-37 属于路径遍历漏洞,指程序接受以斜杠开头的绝对路径输入时未进行充分验证。攻击者利用此缺陷,通过构造恶意路径绕过安全限制,访问或读取系统任意位置的敏感文件。开发者应避免直接拼接用户输入,需实施严格的输入校验,确保路径仅指向预期的安全目录,从而有效防止文件系统遍历攻击。

MITRE CWE 官方描述
CWE:CWE-37 路径遍历 (Path Traversal):'/absolute/pathname/here' 英文:产品接受以斜杠绝对路径('/absolute/pathname/here')形式输入的内容,但未进行适当的验证,这可能导致攻击者遍历文件系统至非预期位置或访问任意文件。
常见影响 (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
缓解措施 (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE ID标题CVSS风险等级Published
CVE-2024-12806 SonicWALL SonicOS 安全漏洞 — SonicOS 6.5 -2025-01-09
CVE-2023-20087 Cisco Identity Services Engine 路径遍历漏洞 — Cisco Identity Services Engine Software 4.9 Medium2023-05-18
CVE-2023-20077 Cisco Identity Services Engine 路径遍历漏洞 — Cisco Identity Services Engine Software 4.9 Medium2023-05-18
CVE-2022-20962 Cisco Identity Services Engine 路径遍历漏洞 — Cisco Identity Services Engine Software 3.8 Low2022-11-03
CVE-2022-25347 Delta Electronics DIAEnergie路径遍历漏洞 — DIAEnergie 9.8 Critical2022-03-29
CVE-2018-10498 Samsung Email 信息泄露漏洞 — Samsung Email 5.5 -2018-09-24

CWE-37(路径遍历:’/absolute/pathname/here’) 是常见的弱点类别,本平台收录该类弱点关联的 6 条 CVE 漏洞。