目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-628 使用不正确指定参数的函数调用 类漏洞列表 2

CWE-628 使用不正确指定参数的函数调用 类弱点 2 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-628 属于参数传递错误类漏洞,指程序调用函数时传入的参数在数量、顺序、类型或值上存在错误。攻击者通常利用此缺陷诱导程序执行非预期逻辑,进而引发崩溃、数据损坏或远程代码执行。开发者应避免此类问题,需严格校验参数类型与数量,确保调用签名一致,并通过静态代码分析工具及单元测试及时发现并修复参数不匹配问题。

MITRE CWE 官方描述
CWE:CWE-628 使用未正确指定的参数进行函数调用 产品调用函数、过程或例程时,所使用的参数未正确指定,导致始终出现错误行为并引发相应的弱点。 该弱点可以通过多种方式引入,包括:使用了错误的变量或引用;参数数量不正确;参数顺序错误;参数类型错误;或参数值错误。
常见影响 (1)
Other, Access ControlQuality Degradation, Gain Privileges or Assume Identity
This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources.
缓解措施 (2)
Build and CompilationOnce found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.
Architecture and DesignMake sure your API's are stable before you use them in production code.
代码示例 (2)
The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.
function authenticate($username, $password) { // authenticate user ... } authenticate($_POST['password'], $_POST['username']);
Bad · PHP
This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.
sub ReportAuth { my ($username, $result, $fatal) = @_; PrintLog("auth: username=%s, result=%d", $username, $result); if (($result ne "success") && $fatal) { die "Failed!\n"; } } sub PrivilegedFunc { my $result = CheckAuth($username); ReportAuth($username, $result, 0); DoReallyImportantStuff(); }
Bad · Perl
CVE ID标题CVSS风险等级Published
CVE-2019-14844 MIT krb5 安全漏洞 — krb5 7.5 -2019-09-26
CVE-2019-7303 Canonical snapd 权限许可和访问控制问题漏洞 — snapd 5.3 -2019-04-23

CWE-628(使用不正确指定参数的函数调用) 是常见的弱点类别,本平台收录该类弱点关联的 2 条 CVE 漏洞。