目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-610 资源在另一范围的外部可控制索引 类漏洞列表 45

CWE-610 资源在另一范围的外部可控制索引 类弱点 45 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-610 属于引用外部资源漏洞,指程序使用外部控制的名称或引用,解析到预期控制范围之外的资源。攻击者通常通过操纵输入,诱导程序访问非预期的文件、网络端点或数据库,从而窃取敏感数据或执行未授权操作。开发者应避免直接拼接用户输入,采用白名单机制严格校验资源标识符,并确保程序仅能访问受控域内的合法资源,以阻断此类攻击路径。

MITRE CWE 官方描述
CWE:CWE-610 Externally Controlled Reference to a Resource in Another Sphere 英文:The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. 译文:该产品使用了由外部控制的名称或引用,该名称或引用解析到的资源超出了预期的控制范围。
常见影响 (2)
Confidentiality, IntegrityRead Application Data, Modify Application Data
An adversary could read or modify data, depending on how the resource is intended to be used.
Access ControlGain Privileges or Assume Identity
An adversary that can supply a reference to an unintended resource can potentially access a resource that they do not have privileges for, thus bypassing existing access control mechanisms.
代码示例 (1)
The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address.
public class RedirectServlet extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String query = request.getQueryString(); if (query.contains("url")) { String url = request.getParameter("url"); response.sendRedirect(url); } } }
Bad · Java
<a href="http://bank.example.com/redirect?url=http://attacker.example.net">Click here to log in</a>
Attack · HTML
CVE ID标题CVSS风险等级Published
CVE-2023-38046 Palo Alto Networks PAN-OS 安全漏洞 — PAN-OS 5.5 Medium2023-07-12
CVE-2023-0045 Linux kernel 安全漏洞 — Linux Kernel 4.7 Medium2023-04-25
CVE-2022-44747 Acronis Cyber Protect 后置链接漏洞 — Acronis Cyber Protect Home Office 7.8 -2022-11-07
CVE-2022-39206 Theonedev Onedev 授权问题漏洞 — onedev 9.9 Critical2022-09-13
CVE-2022-27593 QNAP Systems Photo Station 安全漏洞 — Photo Station 10.0 Critical2022-09-08
CVE-2021-3779 Ruby ruby-mysql 安全漏洞 — ruby-mysql 6.5 -2022-06-28
CVE-2022-24854 Metabase 安全漏洞 — metabase 8.0 High2022-04-14
CVE-2021-43844 MSEdgeRedirect 安全漏洞 — MSEdgeRedirect 8.8 High2021-12-20
CVE-2021-43794 Discourse 安全漏洞 — discourse 5.3 Medium2021-12-01
CVE-2021-41244 Grafana 安全漏洞 — grafana 9.1 Critical2021-11-15
CVE-2021-27648 Synology Antivirus Essential 安全漏洞 — Synology Antivirus Essential 9.0 Critical2021-04-28
CVE-2018-12475 Open Build Service和SUSE openSUSE 信息泄露漏洞 — Open Build Service 6.5 Medium2020-09-01
CVE-2020-8226 phpBB 代码问题漏洞 — https://github.com/phpbb/phpbb 5.8 -2020-08-17
CVE-2018-7824 Schneider Electric Modbus Serial Driver 资源管理错误漏洞 — Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior , For 32-bit Windows OS:V2.17 IE 27 and prior, and as part of the Driver Suite version:V14.12 and prior) 4.9 -2019-05-22
CVE-2017-16088 safe-eval模块安全漏洞 — safe-eval node module 10.0 -2018-06-07

CWE-610(资源在另一范围的外部可控制索引) 是常见的弱点类别,本平台收录该类弱点关联的 45 条 CVE 漏洞。