Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-428 (未经引用的搜索路径或元素) — Vulnerability Class 296

296 vulnerabilities classified as CWE-428 (未经引用的搜索路径或元素). AI Chinese analysis included.

CWE-428 represents a critical input validation weakness where software constructs search paths containing unquoted elements with whitespace or separators. This flaw typically enables privilege escalation attacks, as attackers can exploit the ambiguous parsing by placing malicious executables in parent directories, such as creating a file named "Program.exe" within a system folder. When a privileged process executes a command like WinExec without proper quoting, it may inadvertently run the attacker-controlled file instead of the intended target. Developers prevent this vulnerability by strictly enforcing quoted strings around all path elements in command-line arguments. Additionally, implementing strict input validation and avoiding dynamic path construction from untrusted sources ensures that the operating system correctly interprets the intended file location, thereby neutralizing the risk of unintended resource access or code execution.

MITRE CWE Description
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
Mitigations (3)
ImplementationProperly quote the full search path before executing a program on the system.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Examples (1)
The following example demonstrates the weakness.
UINT errCode = WinExec( "C:\\Program Files\\Foo\\Bar", SW_SHOW );
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2020-7331 Unquoted service executable path in McAfee Endpoint Security (ENS) — McAfee Endpoint Security (ENS) 7.8 High2020-11-12
CVE-2020-15261 Unquoted service path vulnerability on Veyon — veyon 8.0 High2020-10-19
CVE-2020-7316 File and Removable Media Protection update fixes one vulnerability — File & Removable Media Protection (FRP) 6.6 Medium2020-10-07
CVE-2020-10051 Siemens SIMATIC RTLS 代码问题漏洞 — SIMATIC RTLS Locating Manager 7.8 -2020-09-09
CVE-2020-7382 Unquoted Path in Rapid7 Nexpose Installer — Nexpose 6.8 Medium2020-09-03
CVE-2020-8326 Lenovo Drivers Management 代码问题漏洞 — Drivers Management 7.3 High2020-07-24
CVE-2020-7581 Siemens Opcenter 代码问题漏洞 — Opcenter Execution Discrete 7.3 -2020-07-14
CVE-2020-7580 Siemens多款产品代码问题漏洞 — SIMATIC Automation Tool 6.7 -2020-06-10
CVE-2020-8337 Synaptics Smart Audio UWP app 代码问题漏洞 — Synaptics Smart Audio UWP App 6.7 -2020-06-09
CVE-2020-7275 Unquoted service paths for some McAfee ENS files — McAfee Endpoint Security (ENS) 4.8 Medium2020-04-15
CVE-2020-8327 Lenovo System Interface Foundation 代码问题漏洞 — Vantage 7.3 High2020-04-14
CVE-2020-1988 Global Protect Agent: Local privilege escalation due to an unquoted search path vulnerability — Global Protect Agent 4.2 Medium2020-04-08
CVE-2019-7487 SonicWall SonicOS SSLVPN NACagent 代码问题漏洞 — SonicOS 8.4 -2019-12-19
CVE-2019-18245 Reliable Controls LicenseManager 代码问题漏洞 — Reliable Controls LicenseManager 8.8 -2019-12-11
CVE-2019-7590 exacqVision Server Unquoted Service Path — exacqVision Server 7.8 -2019-07-19
CVE-2019-8459 Check Point Endpoint Security Client 代码问题漏洞 — Check Point Endpoint Security Client for Windows, VPN blade 9.8 -2019-06-20
CVE-2018-14789 Philips IntelliSpace Cardiovascular和Xcelera 安全漏洞 — IntelliSpace Cardiovascular (ISCV) products 6.7 -2018-08-22
CVE-2018-10619 Rockwell Automation RSLinx Classic和FactoryTalk Linx Gateway 安全漏洞 — Rockwell Automation RSLinx Classic and FactoryTalk Linx Gateway 7.8 -2018-06-07
CVE-2017-6015 Rockwell Automation FactoryTalk Activation 安全漏洞 — FactoryTalk Activation 7.8 -2018-05-11
CVE-2018-5470 Philips Intellispace Portal 安全漏洞 — Philips IntelliSpace Portal 6.7 -2018-03-26
CVE-2017-14030 Moxa MXview 安全漏洞 — Moxa MXview 7.8 -2018-01-12
CVE-2017-14019 Progea Movicon 安全漏洞 — Progea Movicon SCADA/HMI 6.7 -2017-10-19
CVE-2017-12730 mySCADA myPRO 权限许可和访问控制漏洞 — mySCADA myPRO 8.4 -2017-10-06
CVE-2017-13993 i-SENS SmartLog Diabetes Management Software 安全漏洞 — i-SENS, Inc. SmartLog Diabetes Management Software 7.8 -2017-10-04
CVE-2017-9644 ALC WebCTRL、i-Vu和SiteScan Web 安全漏洞 — Automated Logic Corporation WebCTRL, i-VU, SiteScan 6.4 -2017-08-25
CVE-2014-0759 Schneider Electric Floating License Manager Unquoted Search Path or Element — Floating License Manager 7.8 -2014-02-28

Vulnerabilities classified as CWE-428 (未经引用的搜索路径或元素) represent 296 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.