目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-749 暴露危险的方法或函数 类漏洞列表 119

CWE-749 暴露危险的方法或函数 类弱点 119 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-749指危险方法或函数暴露,属于接口访问控制缺陷。当API包含未受限制的危险功能时,攻击者可利用该接口直接调用敏感操作,从而引发权限提升、数据泄露或系统破坏等严重后果。开发者应避免将高危功能暴露给外部,通过实施严格的身份验证、细粒度权限管理及最小权限原则,确保仅授权用户能访问特定方法,从而有效缓解此类风险。

MITRE CWE 官方描述
CWE:CWE-749 暴露的危险方法或函数 (Exposed Dangerous Method or Function) 英文:该产品提供了一个应用程序编程接口 (API) 或类似的接口,用于与外部实体进行交互,但该接口包含一个未受到适当限制的危险方法或函数。 这种弱点可能导致多种不同的衍生弱点,具体取决于所暴露方法的行为。它可能适用于各种技术和方法,例如 ActiveX 控件、Java 函数、IOCTL 等。暴露可能以几种不同的方式发生:该函数/方法从未打算暴露给外部实体;该函数/方法仅打算被有限的实体集访问,例如仅从单个网站进行的基于 Internet 的访问。
常见影响 (1)
Integrity, Confidentiality, Availability, Access Control, OtherGain Privileges or Assume Identity, Read Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Other
Exposing critical functionality essentially provides an attacker with the privilege level of the exposed functionality. This could result in the modification or exposure of sensitive data or possibly even execution of arbitrary code.
缓解措施 (2)
Architecture and DesignIf you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.
Architecture and Design, ImplementationIdentify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be: accessible to all users restricted to a small set of privileged users prevented from being directly accessible at all Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where ap…
代码示例 (2)
In the following Java example the method removeDatabase will delete the database with the name specified in the input parameter.
public void removeDatabase(String databaseName) { try { Statement stmt = conn.createStatement(); stmt.execute("DROP DATABASE " + databaseName); } catch (SQLException ex) {...} }
Bad · Java
private void removeDatabase(String databaseName) { try { Statement stmt = conn.createStatement(); stmt.execute("DROP DATABASE " + databaseName); } catch (SQLException ex) {...} }
Good · Java
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE ID标题CVSS风险等级Published
CVE-2026-25266 Windows主机存在危险函数暴露漏洞 — Snapdragon 5.5 Medium2026-05-04
CVE-2026-5173 GitLab 安全漏洞 — GitLab 8.5 High2026-04-08
CVE-2026-35488 Tandoor Recipes 安全漏洞 — recipes 8.1 High2026-04-07
CVE-2026-30957 OneUptime 安全漏洞 — oneuptime 10.0 Critical2026-03-10
CVE-2026-3483 Ivanti Desktop and Server Management 安全漏洞 — Desktop and Server Management 7.8 High2026-03-10
CVE-2026-30921 OneUptime 安全漏洞 — oneuptime 10.0 Critical2026-03-09
CVE-2026-20423 MediaTek Chipsets 安全漏洞 — MediaTek chipset 7.8AIHighAI2026-03-02
CVE-2026-28400 Docker Model Runner 安全漏洞 — model-runner 7.6 High2026-02-27
CVE-2026-22208 OpenS100 安全漏洞 — OpenS100 9.6 Critical2026-02-17
CVE-2025-47366 Qualcomm Chipsets 安全漏洞 — Snapdragon 7.1 High2026-02-02
CVE-2025-9611 Microsoft Playwright 安全漏洞 — Playwright 9.6 -2026-01-07
CVE-2025-14494 RealDefense SUPERAntiSpyware 安全漏洞 — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14491 RealDefense SUPERAntiSpyware 安全漏洞 — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14489 RealDefense SUPERAntiSpyware 安全漏洞 — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14490 RealDefense SUPERAntiSpyware 安全漏洞 — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14488 RealDefense SUPERAntiSpyware 安全漏洞 — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14497 RealDefense SUPERAntiSpyware 安全漏洞 — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14495 RealDefense SUPERAntiSpyware 安全漏洞 — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14493 RealDefense SUPERAntiSpyware 安全漏洞 — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14496 RealDefense SUPERAntiSpyware 安全漏洞 — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-14492 RealDefense SUPERAntiSpyware 安全漏洞 — SUPERAntiSpyware 7.8AIHighAI2025-12-23
CVE-2025-59788 Nextcloud 安全漏洞 — Nextcloud 6.4 Medium2025-12-04
CVE-2025-64443 Docker MCP Gateway 安全漏洞 — mcp-gateway 8.3AIHighAI2025-12-03
CVE-2025-47353 Qualcomm Chipsets 安全漏洞 — Snapdragon 7.8 High2025-11-04
CVE-2025-34114 OpenBlow 安全漏洞 — OpenBlow 6.1 -2025-07-25
CVE-2025-5823 Autel MaxiCharger AC Wallbox Commercial 安全漏洞 — Autel MaxiCharger AC Wallbox Commercial 6.5AIMediumAI2025-06-25
CVE-2025-5748 WOLFBOX Level 2 EV Charger 安全漏洞 — Level 2 EV Charger 8.0AIHighAI2025-06-06
CVE-2025-30359 webpack-dev-server 安全漏洞 — webpack-dev-server 5.3 Medium2025-06-03
CVE-2025-48415 eCharge Hardy Barth cPH2和eCharge Hardy Barth cPP2 安全漏洞 — cPH2 / cPP2 charging stations 6.8AIMediumAI2025-05-21
CVE-2025-43003 SAP S/4 HANA 安全漏洞 — SAP S/4HANA (Private Cloud & On-Premise) 6.4 Medium2025-05-13

CWE-749(暴露危险的方法或函数) 是常见的弱点类别,本平台收录该类弱点关联的 119 条 CVE 漏洞。