目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-648 特权API的不正确使用 类漏洞列表 57

CWE-648 特权API的不正确使用 类弱点 57 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-648 属于特权 API 误用漏洞,指程序未遵循高权限函数的调用规范。攻击者常利用此缺陷,通过构造异常调用或绕过权限检查,诱导系统执行特权操作,从而获取未授权访问或提升权限。开发者应避免此类问题,需严格验证输入参数,确保调用上下文符合 API 的安全假设,并实施最小权限原则,防止非特权主体非法调用敏感接口。

MITRE CWE 官方描述
CWE:CWE-648 特权 API 使用不当 英文:产品未遵循需要额外特权的函数调用的 API 要求。这可能导致攻击者通过错误地调用该函数来获取特权。 当产品包含某些执行需要提升特权级别的操作的函数时,特权 API 的调用者必须谨慎:确保 API 所做的假设是有效的,例如参数的有效性;考虑到 API 调用在设计/实现中的已知弱点;从安全上下文调用该 API。如果 API 的调用者不遵循这些要求,则可能允许恶意用户或进程提升其特权、劫持进程或窃取敏感数据。例如,了解特权 API 在返回给调用者之前是否未放弃其特权,或者特权函数是否对调用者传递给它的数据、上下文或状态信息做出某些假设,这一点很重要。始终了解何时以及如何调用特权 API 至关重要,以确保其提升的特权级别不会被利用。
常见影响 (3)
Access ControlGain Privileges or Assume Identity
An attacker may be able to elevate privileges.
ConfidentialityRead Application Data
An attacker may be able to obtain sensitive information.
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
An attacker may be able to execute code.
缓解措施 (5)
ImplementationBefore calling privileged APIs, always ensure that the assumptions made by the privileged code hold true prior to making the call.
Architecture and DesignKnow architecture and implementation weaknesses of the privileged APIs and make sure to account for these weaknesses before calling the privileged APIs to ensure that they can be called safely.
ImplementationIf privileged APIs make certain assumptions about data, context or state validity that are passed by the caller, the calling code must ensure that these assumptions have been validated prior to making the call.
ImplementationIf privileged APIs do not shed their privilege prior to returning to the calling code, then calling code needs to shed these privileges immediately and safely right after the call to the privileged APIs. In particular, the calling code needs to ensure that a privileged thread of execution will never be returned to the user or made available to user-controlled processes.
ImplementationOnly call privileged APIs from safe, consistent and expected state.
CVE ID标题CVSS风险等级Published
CVE-2026-41386 OpenClaw 安全漏洞 — OpenClaw 9.1 Critical2026-04-28
CVE-2026-41329 OpenClaw 安全漏洞 — OpenClaw 9.9 Critical2026-04-20
CVE-2026-35669 OpenClaw 安全漏洞 — OpenClaw 8.8 High2026-04-10
CVE-2026-35663 OpenClaw 安全漏洞 — OpenClaw 8.8 High2026-04-10
CVE-2026-35645 OpenClaw 安全漏洞 — OpenClaw 8.1 High2026-04-09
CVE-2026-35639 OpenClaw 安全漏洞 — OpenClaw 8.8 High2026-04-09
CVE-2026-35625 OpenClaw 安全漏洞 — OpenClaw 7.8 High2026-04-09
CVE-2026-20122 Cisco Catalyst SD-WAN Manager 安全漏洞 — Cisco Catalyst SD-WAN Manager 5.4 Medium2026-02-25
CVE-2026-20126 Cisco Catalyst SD-WAN Manager 安全漏洞 — Cisco Catalyst SD-WAN Manager 8.8 High2026-02-25
CVE-2026-22922 Apache Airflow 安全漏洞 — Apache Airflow 4.3AIMediumAI2026-02-09
CVE-2025-1161 NomySoft Nomysem 安全漏洞 — Nomysem 7.1 High2025-12-10
CVE-2024-32008 Siemens Spectrum Power 安全漏洞 — Spectrum Power 4 7.8 High2025-11-11
CVE-2025-54768 XORUX LPAR2RRD 安全漏洞 — LPAR2RRD 4.3AIMediumAI2025-07-28
CVE-2025-54767 XORUX LPAR2RRD 安全漏洞 — LPAR2RRD 6.5AIMediumAI2025-07-28
CVE-2025-54765 XORUX XorMon-NG 安全漏洞 — XorMon-NG 8.8AIHighAI2025-07-28
CVE-2025-54766 XORUX XorMon-NG 安全漏洞 — XorMon-NG 6.5AIMediumAI2025-07-28
CVE-2025-5997 Beamsec PhishPro 安全漏洞 — PhishPro 8.8 High2025-07-28
CVE-2025-7344 Digiwin EAI 安全漏洞 — EAI 8.8 High2025-07-21
CVE-2025-23375 Dell PowerProtect Data Manager Reporting 安全漏洞 — PowerProtect Data Manager 7.8 High2025-04-28
CVE-2022-26323 OpenText多款产品 安全漏洞 — Operations Bridge Manager 8.8AIHighAI2025-04-17
CVE-2025-2311 Nebula Informatics SecHard 安全漏洞 — SecHard 9.0 Critical2025-03-20
CVE-2024-53007 Bentley Systems ProjectWise Integration Server 安全漏洞 — ProjectWise Integration Server 6.4 Medium2025-01-31
CVE-2024-8785 Progress Software WhatsUp Gold 安全漏洞 — WhatsUp Gold 9.8 Critical2024-12-02
CVE-2024-11068 D-Link DSL6740C 安全漏洞 — DSL6740C 9.8 Critical2024-11-11
CVE-2024-46978 XWiki Platform 安全漏洞 — xwiki-platform 6.5 Medium2024-09-18
CVE-2023-6522 ExtremePacs Extreme XDS 安全漏洞 — Extreme XDS 7.2 High2024-04-05
CVE-2023-4993 Utarit Information Technologies SoliPay Mobile App 安全漏洞 — SoliPay Mobile App 7.5 High2024-02-15
CVE-2024-22042 Siemens Unicam FX 安全漏洞 — Unicam FX 7.8 High2024-02-13
CVE-2023-6151 ESKOM Computer e-municipality module 安全漏洞 — e-municipality module 7.5 High2023-11-28
CVE-2023-6150 ESKOM Computer e-municipality module 安全漏洞 — e-municipality module 7.5 High2023-11-28

CWE-648(特权API的不正确使用) 是常见的弱点类别,本平台收录该类弱点关联的 57 条 CVE 漏洞。