目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-99 对资源描述符的控制不恰当(资源注入) 类漏洞列表 47

CWE-99 对资源描述符的控制不恰当(资源注入) 类弱点 47 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-99 属于资源注入漏洞,指程序未充分校验上游输入,直接将其用作外部资源标识符。攻击者通常通过构造恶意输入,操纵资源访问路径以读取或修改非授权文件、数据库记录等敏感数据。开发者应避免此问题,需对输入进行严格的白名单验证,使用参数化查询或安全API,确保资源标识符在预期控制范围内,从而阻断非法访问。

MITRE CWE 官方描述
CWE:CWE-99 资源标识符控制不当('Resource Injection') 英文:产品从上游组件接收输入,但在将其用作可能超出预期控制范围的资源的标识符之前,未对输入进行限制或限制不正确。 当满足以下两个条件时,会发生资源注入(Resource Injection)问题:攻击者可以指定用于访问系统资源的标识符。例如,攻击者可能能够指定要打开的文件名的一部分或要使用的端口号。通过指定资源,攻击者获得了原本不被允许的能力。例如,程序可能赋予攻击者覆盖指定文件、使用由攻击者控制的配置运行或将敏感信息传输到第三方服务器的能力。这可能使攻击者能够访问或修改原本受保护的系统资源。
常见影响 (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data, Read Files or Directories, Modify Files or Directories
An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information.
缓解措施 (1)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
代码示例 (2)
The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.
String rName = request.getParameter("reportName"); File rFile = new File("/usr/local/apfr/reports/" + rName); ... rFile.delete();
Bad · Java
The following code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system.
ifstream ifs(argv[0]); string s; ifs >> s; cout << s;
Bad · C++
CVE ID标题CVSS风险等级Published
CVE-2026-7303 XXL-JOB 安全漏洞 — xxl-job 3.7 Low2026-04-28
CVE-2026-5414 Newgen OmniDocs 安全漏洞 — OmniDocs 5.3 Medium2026-04-02
CVE-2026-5031 BichitroGan ISP Billing Software 安全漏洞 — ISP Billing Software 4.3 Medium2026-03-29
CVE-2026-3693 AgentChat 安全漏洞 — AgentChat 7.3 High2026-03-08
CVE-2025-12919 EverShop 安全漏洞 — EverShop 3.7 Low2025-11-09
CVE-2025-12918 Skuul school management system 安全漏洞 — Skuul School Management System 3.1 Low2025-11-09
CVE-2025-12270 LearnHouse 安全漏洞 — LearnHouse 4.3 Medium2025-10-27
CVE-2025-43491 HP Poly Lens 安全漏洞 — Poly Lens 6.7AIMediumAI2025-09-09
CVE-2025-9619 Mercatus ERP 安全漏洞 — Mercatus ERP 5.3 Medium2025-08-29
CVE-2025-9264 XXL-JOB 安全漏洞 — xxl-job 5.4 Medium2025-08-20
CVE-2025-9263 XXL-JOB 安全漏洞 — xxl-job 4.3 Medium2025-08-20
CVE-2025-8793 LitmusChaos 安全漏洞 — Litmus 4.3 Medium2025-08-10
CVE-2025-6534 novel-plus 安全漏洞 — novel-plus 4.2 Medium2025-06-24
CVE-2025-2410 ABB多款产品 安全漏洞 — ASPECT-Enterprise 9.1 Critical2025-05-22
CVE-2025-3855 CodeCanyon RISE Ultimate Project Manager 安全漏洞 — RISE Ultimate Project Manager 4.3 Medium2025-04-22
CVE-2025-0756 Hitachi Vantara Pentaho Data Integration & Analytics 安全漏洞 — Pentaho Data Integration & Analytics 9.1 Critical2025-04-16
CVE-2025-3405 FCJ Venture Builder appclientefiel 安全漏洞 — appclientefiel 4.3 Medium2025-04-08
CVE-2025-2125 Control iD RHiD 安全漏洞 — RH iD 4.3 Medium2025-03-09
CVE-2025-1645 Benner Connecta 安全漏洞 — Connecta 6.3 Medium2025-02-25
CVE-2025-1642 Benner ModernaNet 安全漏洞 — ModernaNet 4.3 Medium2025-02-25
CVE-2025-1575 Harpia DiagSystem 安全漏洞 — DiagSystem 4.3 Medium2025-02-23
CVE-2024-5706 Hitachi Vantara Pentaho Data Integration & Analytics 安全漏洞 — Pentaho Data Integration & Analytics 8.8 High2025-02-19
CVE-2024-57971 Knowage 安全漏洞 — KNOWAGE 9.1 Critical2025-02-16
CVE-2025-0625 CampCodes School Management Software 安全漏洞 — School Management Software 3.1 Low2025-01-22
CVE-2023-6605 FFmpeg 安全漏洞 7.2 High2025-01-06
CVE-2023-6604 FFmpeg 安全漏洞 5.3 Medium2025-01-06
CVE-2023-6601 FFmpeg 安全漏洞 4.7 Medium2025-01-06
CVE-2023-6602 FFmpeg 安全漏洞 5.3 Medium2024-12-31
CVE-2024-7658 ProjectSend 安全漏洞 — projectsend 5.3 Medium2024-08-11
CVE-2024-7438 SMF 安全漏洞 — SMF 4.3 Medium2024-08-03

CWE-99(对资源描述符的控制不恰当(资源注入)) 是常见的弱点类别,本平台收录该类弱点关联的 47 条 CVE 漏洞。