目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-552 对外部实体的文件或目录可访问 类漏洞列表 209

CWE-552 对外部实体的文件或目录可访问 类弱点 209 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-552属于权限配置不当类漏洞,指产品错误地将文件或目录暴露给未授权的外部实体。攻击者通常利用此缺陷,通过直接访问服务器根目录下的敏感文件,窃取机密数据或执行恶意操作。开发者应避免在Web或FTP服务器中存放敏感文件,并实施严格的访问控制机制,确保仅授权用户可访问特定资源,从而防止信息泄露。

MITRE CWE 官方描述
CWE:CWE-552 外部可访问的文件或目录 英文:The product makes files or directories accessible to unauthorized actors, even though they should not be. Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.
常见影响 (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
缓解措施 (1)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
代码示例 (2)
The following Azure command updates the settings for a storage account:
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access true
Bad · Shell
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false
Good · Shell
The following Google Cloud Storage command gets the settings for a storage account named 'BUCKET_NAME':
gsutil iam get gs://BUCKET_NAME
Informative · Shell
{ "bindings":[{ "members":[ "projectEditor: PROJECT-ID", "projectOwner: PROJECT-ID" ], "role":"roles/storage.legacyBucketOwner" }, { "members":[ "allUsers", "projectViewer: PROJECT-ID" ], "role":"roles/storage.legacyBucketReader" } ] }
Bad · JSON
CVE ID标题CVSS风险等级Published
CVE-2025-40908 libyaml 安全漏洞 — YAML::LibYAML 7.5 -2025-06-01
CVE-2025-4634 jct-aq Airpointer 2D 安全漏洞 — Airpointer 4.1 Medium2025-05-30
CVE-2025-5273 Markdownify MCP Server 安全漏洞 — mcp-markdownify-server 6.5 Medium2025-05-29
CVE-2025-4134 Avast Business Antivirus 安全漏洞 — Avast Business Antivirus 7.3 High2025-05-28
CVE-2025-21264 Microsoft Visual Studio Code 安全漏洞 — Microsoft Visual Studio Code CoPilot Chat Extension 7.1 High2025-05-13
CVE-2024-4981 Pagure 安全漏洞 7.6 High2025-05-12
CVE-2025-32819 SonicWALL SMA100 安全漏洞 — SMA100 8.1AIHighAI2025-05-07
CVE-2025-1982 Symfonia Ready_ 安全漏洞 — Ready_ 6.5AIMediumAI2025-04-16
CVE-2025-2222 Schneider Electric ConneXium Network Manager 安全漏洞 — ConneXium Network Manager 7.8 High2025-04-09
CVE-2025-22369 MENNEKES Charging column Smart 安全漏洞 — Smart / Premium charging stations 7.5 -2025-03-11
CVE-2025-25267 Siemens Tecnomatix Plant Simulation 安全漏洞 — Tecnomatix Plant Simulation V2302 6.2 Medium2025-03-11
CVE-2025-25266 Siemens Tecnomatix Plant Simulation 安全漏洞 — Tecnomatix Plant Simulation V2302 6.8 Medium2025-03-11
CVE-2025-2147 Zhide Modern Farm Digital Integrated Management System 安全漏洞 — Modern Farm Digital Integrated Management System 5.3 Medium2025-03-10
CVE-2024-48864 QNAP Systems File Station 安全漏洞 — File Station 5 9.1 -2025-03-07
CVE-2025-26525 Moodle 安全漏洞 — moodle 8.6 High2025-02-24
CVE-2024-12917 Agito Computer Health4All 安全漏洞 — Health4All 8.3 High2025-02-24
CVE-2025-23421 Qardio Heart Health和ARM A100 安全漏洞 — Heart Health IOS Mobile Application 6.4 Medium2025-02-13
CVE-2024-11629 Progress Telerik Document Processing Libraries 安全漏洞 — Progress® Telerik® Document Processing Libraries 7.1 High2025-02-12
CVE-2025-1042 GitLab Enterprise Edition 安全漏洞 — GitLab 4.9 Medium2025-02-12
CVE-2025-0509 Oracle Java SE 安全漏洞 — Sparkle 7.3 High2025-02-04
CVE-2023-29080 Revenera InstallShield 安全漏洞 — InstallShield 7.3 -2025-01-30
CVE-2024-47106 IBM Jazz for Service Management 安全漏洞 — Jazz for Service Management 5.3 Medium2025-01-18
CVE-2024-45627 Apache Linkis 安全漏洞 — Apache Linkis Metadata Query Service JDBC 6.5 -2025-01-14
CVE-2024-53649 Siemens SIPROTEC 5 安全漏洞 — SIPROTEC 5 6MD84 (CP300) 6.5 Medium2025-01-14
CVE-2024-47518 Arista NG Firewall 安全漏洞 — Arista Edge Threat Management 6.4 Medium2025-01-10
CVE-2024-43660 iocharger 安全漏洞 — Iocharger firmware for AC models 7.5 -2025-01-09
CVE-2024-54099 Huawei EMUI和Huawei HarmonyOS 安全漏洞 — HarmonyOS 6.7 Medium2024-12-12
CVE-2024-51542 ABB ASPECT 安全漏洞 — ASPECT-Enterprise 8.2 High2024-12-05
CVE-2024-53676 Hewlett Packard Enterprise Insight Remote Support 安全漏洞 — HPE Insight Remote Support 9.8 Critical2024-11-27
CVE-2024-10126 M-Files Server 安全漏洞 — M-Files Server 4.3AIMediumAI2024-11-20

CWE-552(对外部实体的文件或目录可访问) 是常见的弱点类别,本平台收录该类弱点关联的 209 条 CVE 漏洞。