目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-112 XML验证缺失 类漏洞列表 7

CWE-112 XML验证缺失 类弱点 7 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-112 属于输入验证缺陷,指应用接收未经验证的 XML 数据。攻击者通过构造畸形或恶意 XML 文档,利用程序对非预期输入的假设漏洞,触发解析错误、拒绝服务或注入攻击。开发者应严格依据 DTD 或 XML Schema 对输入进行校验,确保数据格式合规,从而阻断恶意载荷进入系统,保障处理逻辑的安全性。

MITRE CWE 官方描述
CWE:CWE-112 Missing XML Validation 英文:The product accepts XML from an untrusted source but does not validate the XML against the proper schema. Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input. 译文: CWE:CWE-112 缺少 XML 验证 英文:产品从不受信任的来源接受 XML,但未根据适当的模式对 XML 进行验证。 大多数成功的攻击始于对程序员假设的违反。通过接受未经 DTD 或 XML 模式验证的 XML 文档,程序员为攻击者提供了提供意外、不合理或恶意输入的机会。
常见影响 (1)
IntegrityUnexpected State
缓解措施 (1)
Architecture and DesignAlways validate XML input against a known XML Schema or DTD. It is not possible for an XML parser to validate all aspects of a document's content because a parser cannot understand the complete semantics of the data. However, a parser can do a complete and thorough job of checking the document's structure and therefore guarantee to the code that processes the document that the content is well-form…
代码示例 (2)
The following code loads and parses an XML file.
// Read DOM try { ... DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setValidating( false ); .... c_dom = factory.newDocumentBuilder().parse( xmlFile ); } catch(Exception ex) { ... }
Bad · Java
The following code creates a DocumentBuilder object to be used in building an XML document.
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); builderFactory.setNamespaceAware(true); DocumentBuilder builder = builderFactory.newDocumentBuilder();
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-1190 Keycloak 安全漏洞 — Red Hat build of Keycloak 26.4 3.1 Low2026-01-26
CVE-2023-40310 SAP PowerDesigner 安全漏洞 — SAP PowerDesigner Client 6.5 Medium2023-10-10
CVE-2021-27780 HCL Technologies BigFix Mobile/Modern Client Management 代码问题漏洞 — HCL BigFix Mobile / Modern Client Management 5.3 Medium2022-05-27
CVE-2022-28213 SAP BusinessObjects Business Intelligence Platform 安全漏洞 — SAP BusinessObjects Business Intelligence Platform 8.1 -2022-04-12
CVE-2021-1359 Cisco Web Security Appliance 安全漏洞 — Cisco Web Security Appliance (WSA) 6.3 Medium2021-07-08
CVE-2020-27282 Hamilton-medical Hamilton-T1 安全漏洞 — Hamilton Medical AG, T1-Ventillator 4.6 -2021-03-15
CVE-2020-1975 Palo Alto Networks PAN-OS 代码问题漏洞 — PAN-OS 6.8 Medium2020-02-12

CWE-112(XML验证缺失) 是常见的弱点类别,本平台收录该类弱点关联的 7 条 CVE 漏洞。