Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-99 (对资源描述符的控制不恰当(资源注入)) — Vulnerability Class 47

47 vulnerabilities classified as CWE-99 (对资源描述符的控制不恰当(资源注入)). AI Chinese analysis included.

CWE-99 represents a critical input validation weakness where applications fail to restrict user-supplied data before using it as an identifier for external resources. Attackers typically exploit this vulnerability by injecting malicious payloads, such as directory traversal sequences or remote resource references, into input fields. This allows them to bypass intended access controls, potentially reading sensitive local files, accessing restricted network services, or executing arbitrary code on the server. To mitigate this risk, developers must implement strict allow-listing strategies for all resource identifiers, ensuring only predefined, safe values are accepted. Additionally, employing robust input sanitization techniques and validating data types can prevent attackers from manipulating resource paths. By rigorously controlling how user input interacts with system resources, organizations can effectively neutralize injection attacks and maintain the integrity and confidentiality of their applications.

MITRE CWE Description
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. A resource injection issue occurs when the following two conditions are met: An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file, run with a configuration controlled by the attacker, or transmit sensitive information to a third-party server. This may enable an attacker to access or modify otherwise protected system resources.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data, Read Files or Directories, Modify Files or Directories
An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information.
Mitigations (1)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Examples (2)
The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.
String rName = request.getParameter("reportName"); File rFile = new File("/usr/local/apfr/reports/" + rName); ... rFile.delete();
Bad · Java
The following code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system.
ifstream ifs(argv[0]); string s; ifs >> s; cout << s;
Bad · C++
CVE IDTitleCVSSSeverityPublished
CVE-2024-7437 SimpleMachines SMF Delete User index.php resource injection — SMF 5.4 Medium2024-08-03
CVE-2024-0231 Improper Control of Resource Identifiers ('Resource Injection') in GitLab — GitLab 2.7 Low2024-07-24
CVE-2024-4817 Campcodes Online Laundry Management System HTTP Request Parameter manage_user.php resource injection — Online Laundry Management System 6.3 Medium2024-05-13
CVE-2024-4294 PHPGurukul Doctor Appointment Management System view-appointment-detail.php resource injection — Doctor Appointment Management System 6.3 Medium2024-04-27
CVE-2023-3517 Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection') — Pentaho Data Integration & Analytics 8.5 High2023-12-12
CVE-2023-2980 Abstrium Pydio Cells User Creation resource injection — Pydio Cells 6.3 Medium2023-05-30
CVE-2022-39369 Service Hostname Discovery Exploitation in phpCAS — phpCAS 8.0 High2022-11-01
CVE-2022-3774 SourceCodester Train Scheduler App resource injection — Train Scheduler App 5.4 Medium2022-10-31
CVE-2022-27670 SAP SQL Anywhere 安全漏洞 — SAP SQL Anywhere Server 6.5 -2022-04-12
CVE-2022-1287 School Club Application System resource injection — School Club Application System 6.5 Medium2022-04-09
CVE-2021-22879 Nextcloud 注入漏洞 — Nextcloud Desktop Client 8.8 -2021-04-14
CVE-2020-8177 Haxx curl 注入漏洞 — https://github.com/curl/curl 7.3 -2020-12-14
CVE-2020-6245 SAP Business Objects Business Intelligence Platform 注入漏洞 — SAP Business Objects Business Intelligence Platform 7.8 -2020-05-12
CVE-2020-5230 Opencast uses unsafe identifiers — opencast 7.7 High2020-01-30
CVE-2019-1860 Cisco Unified Intelligence Center Remote File Injection Vulnerability — Cisco Unified Intelligence Center 5.9 -2019-05-16
CVE-2019-6545 AVEVA InTouch Edge HMI 安全漏洞 — AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update 9.1 -2019-02-13
CVE-2016-8615 Haxx curl 安全漏洞 — curl 5.3 -2018-08-01

Vulnerabilities classified as CWE-99 (对资源描述符的控制不恰当(资源注入)) represent 47 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.