目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-552 对外部实体的文件或目录可访问 类漏洞列表 209

CWE-552 对外部实体的文件或目录可访问 类弱点 209 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-552属于权限配置不当类漏洞,指产品错误地将文件或目录暴露给未授权的外部实体。攻击者通常利用此缺陷,通过直接访问服务器根目录下的敏感文件,窃取机密数据或执行恶意操作。开发者应避免在Web或FTP服务器中存放敏感文件,并实施严格的访问控制机制,确保仅授权用户可访问特定资源,从而防止信息泄露。

MITRE CWE 官方描述
CWE:CWE-552 外部可访问的文件或目录 英文:The product makes files or directories accessible to unauthorized actors, even though they should not be. Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.
常见影响 (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
缓解措施 (1)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
代码示例 (2)
The following Azure command updates the settings for a storage account:
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access true
Bad · Shell
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false
Good · Shell
The following Google Cloud Storage command gets the settings for a storage account named 'BUCKET_NAME':
gsutil iam get gs://BUCKET_NAME
Informative · Shell
{ "bindings":[{ "members":[ "projectEditor: PROJECT-ID", "projectOwner: PROJECT-ID" ], "role":"roles/storage.legacyBucketOwner" }, { "members":[ "allUsers", "projectViewer: PROJECT-ID" ], "role":"roles/storage.legacyBucketReader" } ] }
Bad · JSON
CVE ID标题CVSS风险等级Published
CVE-2021-1512 Cisco SD-WAN 安全漏洞 — Cisco SD-WAN Solution 7.1 -2021-05-06
CVE-2021-1256 Cisco Firepower Threat Defense 安全漏洞 — Cisco Firepower Threat Defense Software 6.0 Medium2021-04-29
CVE-2021-21429 OpenAPI Generator 安全漏洞 — openapi-generator 4.0 Medium2021-04-27
CVE-2021-24154 WordPress 安全漏洞 — Theme Editor 4.9 -2021-04-05
CVE-2021-1434 Cisco IOS XE SD-WAN Software 安全漏洞 — Cisco IOS XE Software 4.4 Medium2021-03-24
CVE-2019-3897 红帽 Red Hat 安全漏洞 — redhat-certification 5.3 -2021-03-16
CVE-2021-20253 Red Hat ansible-tower 安全漏洞 — ansible-tower 7.0 -2021-03-09
CVE-2021-1361 Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches 安全漏洞 — Cisco NX-OS Software 9.8 Critical2021-02-24
CVE-2021-20182 Red Hat openshift4/ose-docker-builder 安全漏洞 — openshift 8.8 -2021-02-23
CVE-2020-17519 Apache Flink 安全漏洞 — Apache Flink 7.5 -2021-01-05
CVE-2020-11642 Secomea GateManager 和 SiteManager 安全漏洞 — SiteManager 7.7 High2020-10-15
CVE-2020-11641 Secomea GateManager 和SiteManager 安全漏洞 — SiteManager 7.7 High2020-10-15
CVE-2020-15224 Microsoft Open Enclave SDK 安全漏洞 — openenclave 6.8 Medium2020-10-14
CVE-2020-15175 GLPI 安全漏洞 — glpi 7.4 High2020-10-07
CVE-2020-25636 Red Hat Ansible 安全漏洞 — Community Collections 6.6 Medium2020-10-05
CVE-2020-3476 Cisco IOS和IOS XE 安全漏洞 — Cisco IOS XE Software 6.0 -2020-09-24
CVE-2020-4075 OpenJS Electron 安全漏洞 — electron 6.8 Medium2020-07-07
CVE-2020-1726 Podman 授权问题漏洞 — podman 5.9 Medium2020-02-11
CVE-2019-13941 Siemens OZW672和OZW772 授权问题漏洞 — OZW672 5.3 -2020-02-11
CVE-2019-3622 McAfee Data Loss Prevention Endpoint 访问控制错误漏洞 — Data Loss Prevention (DLPe) for Windows 8.8 -2019-07-24
CVE-2019-10930 Siemens DIGSI 5 engineering software和SIPROTEC 5 - DIGSI Device Driver 代码问题漏洞 — All other SIPROTEC 5 device types with CPU variants CP300 and CP100 and the respective Ethernet communication modules 9.1 -2019-07-11
CVE-2019-3569 Facebook HHVM 信息泄露漏洞 — HHVM 7.5 -2019-06-26
CVE-2019-3811 SSSD 安全漏洞 — sssd 5.2 -2019-01-15
CVE-2017-2621 OpenStack 日志信息泄露漏洞 — openstack-heat 5.5 -2018-07-27
CVE-2017-2622 OpenStack Mistral 信息泄露漏洞 — openstack-mistral 5.5 -2018-07-27
CVE-2018-10869 Red Hat Certification 安全漏洞 — redhat-certification 7.5 -2018-07-19
CVE-2018-1079 pcs 权限许可和访问控制漏洞 — pcs 8.1 -2018-04-12
CVE-2017-15104 Heketi 信息泄露漏洞 — Heketi 7.1 -2017-12-18
CVE-2017-12079 Synology Photo Station 安全漏洞 — Photo Station 7.5 -2017-12-04

CWE-552(对外部实体的文件或目录可访问) 是常见的弱点类别,本平台收录该类弱点关联的 209 条 CVE 漏洞。