目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-41 对路径等价的解析不恰当 类漏洞列表 23

CWE-41 对路径等价的解析不恰当 类弱点 23 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-41 属于路径等价漏洞,源于软件未能正确处理文件系统中的特殊字符。攻击者常利用符号链接或相对路径等技巧,生成指向同一对象的不同名称,从而绕过基于不完整文件名或路径的访问控制,导致敏感文件内容泄露。开发者应通过规范化输入路径、严格校验文件路径并避免使用不可信的用户输入来构建文件路径,以消除此类安全风险。

MITRE CWE 官方描述
CWE:CWE-41 路径等价处理不当 英文:该产品存在通过路径等价(path equivalence)导致文件系统内容泄露的漏洞。路径等价涉及在文件名和目录名中使用特殊字符。相关的操作旨在为同一对象生成多个名称。 路径等价通常被用于绕过使用不完整的文件名或文件路径表示所表达的访问控制。这与路径遍历(path traversal)不同,后者中的操作是为了生成不同对象的名称。
常见影响 (1)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism than an attacker may be able to bypass the mechanism.
缓解措施 (3)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE ID标题CVSS风险等级Published
CVE-2026-5816 GitLab 安全漏洞 — GitLab 8.0 High2026-04-22
CVE-2026-34510 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-01
CVE-2026-23674 Microsoft MapUrlToZone 安全漏洞 — Windows 10 Version 1607 7.5 High2026-03-10
CVE-2025-58290 Huawei HarmonyOS 安全漏洞 — HarmonyOS 3.3 Low2025-10-11
CVE-2025-54107 Microsoft MapUrlToZone 安全漏洞 — Windows 10 Version 1507 4.3 Medium2025-09-09
CVE-2024-8765 Lunary 安全漏洞 — lunary-ai/lunary 9.4 -2025-03-20
CVE-2024-6839 Flask-CORS 安全漏洞 — corydolphin/flask-cors 9.8 -2025-03-20
CVE-2025-0115 Palo Alto Networks PAN-OS 安全漏洞 — PAN-OS 4.9 -2025-03-12
CVE-2025-21247 Microsoft MapUrlToZone 安全漏洞 — Windows 10 Version 1507 4.3 Medium2025-03-11
CVE-2025-24470 Fortinet FortiPortal 安全漏洞 — FortiPortal 8.1 High2025-02-11
CVE-2025-21332 Microsoft MapUrlToZone 安全漏洞 — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21189 Microsoft MapUrlToZone 安全漏洞 — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21328 Microsoft Windows 安全漏洞 — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21329 Microsoft Windows 安全漏洞 — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21219 Microsoft MapUrlToZone 安全漏洞 — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21269 Microsoft MapUrlToZone 安全漏洞 — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2025-21268 Microsoft MapUrlToZone 安全漏洞 — Windows 10 Version 1507 4.3 Medium2025-01-14
CVE-2024-30073 Microsoft Windows 安全漏洞 — Windows 11 Version 24H2 7.8 High2024-09-10
CVE-2024-45405 gitoxide 安全漏洞 — gitoxide 6.0 Medium2024-09-06
CVE-2024-30036 Microsoft Windows Deployment Services 安全漏洞 — Windows Server 2019 6.5 Medium2024-05-14
CVE-2023-46169 IBM DS8900F HMC 安全漏洞 — DS8900F 6.5 Medium2024-03-07
CVE-2023-36396 Microsoft Windows Compressed Folder 安全漏洞 — Windows 11 version 22H2 7.8 High2023-11-14
CVE-2022-0855 whmcs_plugin 安全漏洞 — microweber-dev/whmcs_plugin 6.1 -2022-03-04

CWE-41(对路径等价的解析不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 23 条 CVE 漏洞。