目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-732 关键资源的不正确权限授予 类漏洞列表 447

CWE-732 关键资源的不正确权限授予 类弱点 447 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-732属于权限配置错误漏洞,指关键资源被赋予过于宽泛的访问权限,导致非预期主体可读取或修改。攻击者常利用此缺陷窃取敏感数据或篡改系统配置,引发信息泄露或服务中断。开发者应避免使用默认宽松权限,严格遵循最小权限原则,在代码中显式设置精确的访问控制列表,并定期审计资源权限配置,确保仅授权必要主体访问。

MITRE CWE 官方描述
CWE:CWE-732 关键资源权限分配错误 英文:产品在为安全关键资源(security-critical resource)指定权限时,方式不当,导致该资源可被非预期行为者(unintended actors)读取或修改。 当资源被赋予比所需范围更广泛的访问权限时,可能导致敏感信息泄露,或被非预期方修改该资源。当资源与程序配置(program configuration)、执行(execution)或敏感用户数据(sensitive user data)相关时,这种情况尤其危险。例如,考虑一个配置错误的云存储账户(storage account),其可被公共用户或匿名用户读取或写入。
常见影响 (3)
ConfidentialityRead Application Data, Read Files or Directories
An attacker may be able to read sensitive information from the associated resource, such as credentials or configuration information stored in a file.
Access ControlGain Privileges or Assume Identity
An attacker may be able to modify critical properties of the associated resource to gain privileges, such as replacing a world-writable executable with a Trojan horse.
Integrity, OtherModify Application Data, Other
An attacker may be able to destroy or corrupt critical data in the associated resource, such as deletion of records from a database.
缓解措施 (5)
ImplementationWhen using a critical resource such as a configuration file, check to see if the resource has insecure permissions (such as being modifiable by any regular user) [REF-62], and generate an error or even exit the software if there is a possibility that the resource could have been modified by an unauthorized party.
Architecture and DesignDivide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully defining distinct user groups, privileges, and/or roles. Map these against data, functionality, and the related resources. Then set the permissions accordingly. This will allow you to maintain more fine-grained control over your resources. [REF-207]
Effectiveness: Moderate
Architecture and Design, OperationRun the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For ex…
Effectiveness: Limited
Implementation, InstallationDuring program startup, explicitly set the default permissions or umask to the most restrictive setting possible. Also set the appropriate permissions during program installation. This will prevent you from inheriting insecure permissions from any user who installs or runs the program.
Effectiveness: High
System ConfigurationFor all configuration files, executables, and libraries, make sure that they are only readable and writable by the software's administrator.
Effectiveness: High
代码示例 (2)
The following code sets the umask of the process to 0 before creating a file and writing "Hello world" into the file.
#define OUTFILE "hello.out" umask(0); FILE *out; /* Ignore link following (CWE-59) for brevity */ out = fopen(OUTFILE, "w"); if (out) { fprintf(out, "hello world!\n"); fclose(out); }
Bad · C
-rw-rw-rw- 1 username 13 Nov 24 17:58 hello.out
Result
This code creates a home directory for a new user, and makes that user the owner of the directory. If the new directory cannot be owned by the user, the directory is deleted.
function createUserDir($username){ $path = '/home/'.$username; if(!mkdir($path)){ return false; } if(!chown($path,$username)){ rmdir($path); return false; } return true; }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2026-41288 WatchGuard Agent Windows 权限提升漏洞 — WatchGuard Agent--2026-05-06
CVE-2026-41686 Claude SDK for TypeScript 本地文件系统内存工具文件权限漏洞 — anthropic-sdk-typescript 5.5AIMediumAI2026-05-04
CVE-2026-6499 OpenConcerto 1.7.5 关键资源权限配置错误漏洞 — OpenConcerto 4.3AIMediumAI2026-05-04
CVE-2026-41366 OpenClaw 安全漏洞 — OpenClaw 5.5 Medium2026-04-27
CVE-2026-35367 uutils coreutils 安全漏洞 — coreutils 3.3 Low2026-04-22
CVE-2026-35341 uutils coreutils 安全漏洞 — coreutils 7.1 High2026-04-22
CVE-2026-6842 Red Hat Enterprise Linux 安全漏洞 — Red Hat Enterprise Linux 10 2.5 Low2026-04-22
CVE-2026-22676 Barracuda RMM 安全漏洞 — RMM 7.8 High2026-04-15
CVE-2026-4482 Rapid7 Insight Agent 安全漏洞 — Insight Agent 7.1 -2026-04-10
CVE-2026-28264 Dell PowerProtect Agent Service 安全漏洞 — PowerProtect Agent 3.3 Low2026-04-08
CVE-2026-33271 Acronis True Image 安全漏洞 — Acronis True Image 7.8AIHighAI2026-04-02
CVE-2026-21765 HCL BigFix Platform 安全漏洞 — BigFix Platform 8.8 High2026-04-01
CVE-2026-22768 Dell AppSync 安全漏洞 — AppSync 7.3 High2026-04-01
CVE-2026-34352 TigerVNC 安全漏洞 — TigerVNC 8.5 High2026-03-26
CVE-2026-33430 Briefcase Windows Visual Studio Template 安全漏洞 — briefcase 7.3 High2026-03-26
CVE-2026-3113 Mattermost 安全漏洞 — Mattermost 5.0 Medium2026-03-26
CVE-2026-4761 Codra Panorama Suite 安全漏洞 — Panorama Suite 7.5 -2026-03-25
CVE-2026-32048 OpenClaw 安全漏洞 — OpenClaw 7.5 High2026-03-21
CVE-2026-32810 Halloy 安全漏洞 — halloy 7.1 -2026-03-20
CVE-2026-28563 Apache Airflow 安全漏洞 — Apache Airflow 4.3 -2026-03-17
CVE-2026-26929 Apache Airflow 安全漏洞 — Apache Airflow 5.3AIMediumAI2026-03-17
CVE-2026-29516 Buffalo TeraStation NAS TS5400R 安全漏洞 — TeraStation NAS TS5400R 4.9 Medium2026-03-16
CVE-2025-15037 ASUS Business System Control Interface 安全漏洞 — ASUS Business System Control Interface 5.5AIMediumAI2026-03-12
CVE-2026-24291 Microsoft Windows 安全漏洞 — Windows 10 Version 1607 7.8 High2026-03-10
CVE-2025-41712 Janitza UMG 96RM-E 24V和Janitza UMG 96RM-E 230V 安全漏洞 — UMG 96RM-E 24V(5222063) 6.5 Medium2026-03-10
CVE-2026-28725 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 17 7.5 -2026-03-05
CVE-2025-30413 Acronis Cyber Protect和Acronis Cyber Protect Cloud Agent 安全漏洞 — Acronis Cyber Protect Cloud Agent 9.8 -2026-03-05
CVE-2025-11790 Acronis Cyber Protect Cloud Agent 安全漏洞 — Acronis Cyber Protect Cloud Agent 9.8 -2026-03-05
CVE-2026-29188 File Browser 安全漏洞 — filebrowser 9.1 Critical2026-03-05
CVE-2026-29126 International Datacasting SFX2100 SuperFlex Satellite Receiver 安全漏洞 — SFX2100 Satellite Receiver 7.8 -2026-03-05

CWE-732(关键资源的不正确权限授予) 是常见的弱点类别,本平台收录该类弱点关联的 447 条 CVE 漏洞。