目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-494 下载代码缺少完整性检查 类漏洞列表 101

CWE-494 下载代码缺少完整性检查 类弱点 101 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-494指下载代码时未进行完整性校验的漏洞。攻击者常通过劫持传输通道、DNS欺骗或入侵源服务器,篡改下载内容以植入恶意代码。开发者应实施数字签名验证或哈希校验,确保代码来源可信且未被篡改,从而防止执行被操纵的程序,保障系统安全。

MITRE CWE 官方描述
CWE:CWE-494 Download of Code Without Integrity Check 英文:产品从远程位置下载源代码或可执行文件,并在未充分验证代码的来源和完整性的情况下执行该代码。 攻击者可以通过入侵主机服务器、执行 DNS spoofing 或在传输过程中修改代码来执行恶意代码。
常见影响 (1)
Integrity, Availability, Confidentiality, OtherExecute Unauthorized Code or Commands, Alter Execution Logic, Other
Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users.
缓解措施 (5)
ImplementationPerform proper forward and reverse DNS lookups to detect DNS spoofing.
Architecture and Design, OperationEncrypt the code with a reliable encryption scheme before transmitting. This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code. When providing the code that is to be downloaded, such as for automatic updates of the software, then use cryptographic signatures for …
Architecture and Design, OperationRun your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database ad…
Architecture and Design, OperationRun the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For ex…
Effectiveness: Limited
代码示例 (2)
This example loads an external class from a local subdirectory.
URL[] classURLs= new URL[]{ new URL("file:subdir/") }; URLClassLoader loader = new URLClassLoader(classURLs); Class loadedClass = Class.forName("loadMe", true, loader);
Bad · Java
This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.
//assume the password is already encrypted, avoiding CWE-312 function authenticate($username,$password){ include("http://external.example.com/dbInfo.php"); //dbInfo.php makes $dbhost, $dbuser, $dbpass, $dbname available mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); mysql_select_db($dbname); $query = 'Select * from users where username='.$username.' And password='.$password; $result = mysql_query($query); if(mysql_numrows($result) == 1){ mysql_close(); return true; } else{ mysql_close(); return false; } }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2026-42249 Ollama 路径遍历漏洞 — Ollama 8.8AIHighAI2026-04-29
CVE-2026-42248 Ollama 安全漏洞 — Ollama 8.4AIHighAI2026-04-29
CVE-2026-40066 Anviz CX7和Anviz CX2 Lite 安全漏洞 — Anviz CX7 Firmware 8.8 High2026-04-17
CVE-2026-3428 ASUS Member Center 安全漏洞 — Member Center(华硕大厅) 7.0AIHighAI2026-04-16
CVE-2026-34841 Bruno 安全漏洞 — bruno 9.8 Critical2026-04-06
CVE-2026-3502 TrueConf Client 安全漏洞 — TrueConf Client 7.8 High2026-03-30
CVE-2026-33075 FastGPT 安全漏洞 — FastGPT 7.5 -2026-03-20
CVE-2026-1878 ASUS ROG peripheral driver 安全漏洞 — Driver( Keyboard & Mouse ) 7.4AIHighAI2026-03-12
CVE-2026-3000 Changing IDExpert Windows Logon Agent 安全漏洞 — IDExpert Windows Logon Agent 9.8 Critical2026-03-02
CVE-2026-2999 Changing IDExpert Windows Logon Agent 安全漏洞 — IDExpert Windows Logon Agent 9.8 Critical2026-03-02
CVE-2025-47904 Microchip Time Provider 4100 安全漏洞 — Time Provider 4100 9.1AICriticalAI2026-02-24
CVE-2026-27180 MajorDoMo 安全漏洞 — MajorDoMo 9.8 Critical2026-02-18
CVE-2025-15575 SolaX Power Pocket 安全漏洞 — Pocket WiFi 3.0 4.3AIMediumAI2026-02-12
CVE-2026-20056 Cisco Secure Web Appliance 安全漏洞 — Cisco Secure Web Appliance 4.0 Medium2026-02-04
CVE-2025-15556 Notepad++ 安全漏洞 — notepad-plus-plus 7.0AIHighAI2026-02-03
CVE-2026-22865 Gradle 安全漏洞 — gradle 5.3 -2026-01-16
CVE-2025-69263 pnpm 安全漏洞 — pnpm 7.5 High2026-01-07
CVE-2025-14265 ConnectWise ScreenConnect 安全漏洞 — ScreenConnect 9.1 Critical2025-12-11
CVE-2025-66334 Huawei HarmonyOS 安全漏洞 — HarmonyOS 3.3 Low2025-12-08
CVE-2025-66333 Huawei HarmonyOS 安全漏洞 — HarmonyOS 3.3 Low2025-12-08
CVE-2025-66332 Huawei HarmonyOS 安全漏洞 — HarmonyOS 3.3 Low2025-12-08
CVE-2025-66331 Huawei HarmonyOS 安全漏洞 — HarmonyOS 3.3 Low2025-12-08
CVE-2025-40604 SonicWALL Email Security 安全漏洞 — Email Security 6.7 -2025-11-20
CVE-2025-11493 ConnectWise Automate Agent 安全漏洞 — Automate 8.8 High2025-10-16
CVE-2025-34212 Vasion Print Virtual Appliance Host 安全漏洞 — Print Virtual Appliance Host 8.1AIHighAI2025-09-29
CVE-2025-9319 Lenovo Wallpaper Client 安全漏洞 — Wallpaper Client 7.5 High2025-09-11
CVE-2025-30199 ECOVACS robot vacuums 安全漏洞 — DEEBOT X1 Series 7.2 High2025-09-05
CVE-2025-35115 Agiloft 安全漏洞 — Agiloft 8.1 High2025-08-26
CVE-2025-31355 Tenda AC6 安全漏洞 — AC6 V5.0 7.2 High2025-08-20
CVE-2025-53520 EG4 Electronics EG4 Inverters 安全漏洞 — EG4 12kPV 8.8 High2025-08-08

CWE-494(下载代码缺少完整性检查) 是常见的弱点类别,本平台收录该类弱点关联的 101 条 CVE 漏洞。