目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-59 在文件访问前对链接解析不恰当(链接跟随) 类漏洞列表 425

CWE-59 在文件访问前对链接解析不恰当(链接跟随) 类弱点 425 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-59 属于文件访问类漏洞,指程序在访问文件前未正确验证链接解析结果。攻击者常通过创建指向敏感资源的符号链接或快捷方式,诱导程序读取非预期文件,从而引发信息泄露或权限提升。开发者应避免直接使用用户输入的文件名,需在访问前校验最终解析路径,确保其位于预期的安全目录内,防止链接劫持风险。

MITRE CWE 官方描述
CWE:CWE-59 文件访问前链接解析不当('Link Following') 英文:产品尝试基于文件名访问文件,但未能正确防止该文件名标识解析到非预期资源的链接或快捷方式。
常见影响 (2)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
OtherExecute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
缓解措施 (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE ID标题CVSS风险等级Published
CVE-2020-3223 Cisco IOS XE 后置链接漏洞 — Cisco IOS XE Software 16.9.4 4.9 -2020-06-03
CVE-2020-2024 Kata Containers 后置链接漏洞 — Kata Containers 6.5 Medium2020-05-19
CVE-2020-8099 Bitdefender Antivirus Free 后置链接漏洞 — Antivirus Free 7.1 High2020-04-21
CVE-2020-7250 McAfee Endpoint Security 后置链接漏洞 — McAfee Endpoint Security (ENS) 8.2 High2020-04-15
CVE-2020-5738 Grandstream GXP1600 后置链接漏洞 — Grandstream GXP1600 Series 8.8 -2020-04-14
CVE-2020-8015 SUSE openSUSE 后置链接漏洞 — Factory 8.4 High2020-04-02
CVE-2020-8013 SUSE Linux Enterprise Server 后置链接漏洞 — SUSE Linux Enterprise Server 12 2.2 Low2020-03-02
CVE-2019-18901 openSUSE 后置链接漏洞 — SUSE Linux Enterprise Server 12 5.1 Medium2020-03-02
CVE-2019-18897 SUSE openSUSE和SUSE Linux Enterprise Server 后置链接漏洞 — SUSE Linux Enterprise Server 12 8.4 High2020-03-02
CVE-2019-3698 Nagios 后置链接漏洞 — SUSE Linux Enterprise Server 12 5.7 Medium2020-02-28
CVE-2020-8095 Bitdefender Total Security 输入验证错误漏洞 — Bitdefender Total Security 2020 4.9 Medium2020-01-30
CVE-2019-3699 SUSE openSUSE 后置链接漏洞 — Leap 15.1 7.7 High2020-01-24
CVE-2019-3697 SUSE openSUSE 后置链接漏洞 — Leap 15.1 7.7 High2020-01-24
CVE-2019-3694 SUSE openSUSE 后置链接漏洞 — Factory 7.7 High2020-01-24
CVE-2019-3693 GNU Mailman 后置链接漏洞 — SUSE Linux Enterprise Server 11 7.7 High2020-01-24
CVE-2019-3692 多款 SUSE 产品inn后置链接漏洞 — SUSE Linux Enterprise Server 11 7.7 High2020-01-24
CVE-2019-3691 munge 后置链接漏洞 — SUSE Linux Enterprise Server 15 7.7 High2020-01-23
CVE-2019-18898 多款SUSE产品trousers后置链接漏洞 — SUSE Linux Enterprise Server 15 SP1 7.7 High2020-01-23
CVE-2019-8463 Check Point Endpoint Security Client 后置链接漏洞 — Check Point Endpoint Security Client for Windows 6.2 -2019-12-23
CVE-2019-18232 SafeNet Sentinel LDK License Manager 后置链接漏洞 — SafeNet Sentinel LDK License Manager Runtime 7.8 -2019-12-11
CVE-2019-3690 SUSE openSUSE 后置链接漏洞 — permissions 6.8 Medium2019-12-05
CVE-2019-12672 Cisco IOS XE 后置链接漏洞 — Cisco IOS XE Software 3.11.1S 6.8 -2019-09-25
CVE-2019-10152 Podman 路径遍历漏洞 — podman 7.5 -2019-07-30
CVE-2018-14651 Red Hat Gluster 安全漏洞 — glusterfs 8.8 -2018-10-31
CVE-2018-10928 Red Hat glusterfs服务器RPC请求处理器组件后置链接漏洞 — glusterfs 8.8 -2018-09-04
CVE-2017-7500 Red Hat RPM 安全漏洞 — rpm 7.8 -2018-08-13
CVE-2018-10897 yum-utils 后置链接漏洞 — yum-utils: 7.5 -2018-08-01
CVE-2016-8641 Nagios 后置链接漏洞 — nagios 7.8 -2018-08-01
CVE-2017-15097 PostgreSQL 后置链接漏洞 — postgresql init script 7.2 -2018-07-27
CVE-2016-9602 QEMU 权限许可和访问控制漏洞 — Qemu 8.8 -2018-04-26

CWE-59(在文件访问前对链接解析不恰当(链接跟随)) 是常见的弱点类别,本平台收录该类弱点关联的 425 条 CVE 漏洞。