目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-117 日志输出的转义处理不恰当 类漏洞列表 82

CWE-117 日志输出的转义处理不恰当 类弱点 82 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-117属于日志注入漏洞,指程序在记录日志时未对来自外部的输入进行适当的净化处理。攻击者通常利用此缺陷,通过构造包含换行符或特殊字符的恶意输入,强行插入伪造的日志条目,从而掩盖真实攻击痕迹或误导安全分析人员。开发者应避免直接将用户输入拼接至日志字符串,而应采用安全的日志API,并对输入数据进行严格的过滤、转义或验证,确保日志内容的完整性与可信度。

MITRE CWE 官方描述
CWE:CWE-117 日志输出中和不当 (Improper Output Neutralization for Logs) 英文:产品从外部输入构建日志消息,但在将消息写入日志文件时,未对特殊元素进行中和或中和不当。
常见影响 (1)
Integrity, Confidentiality, Availability, Non-RepudiationModify Application Data, Hide Activities, Execute Unauthorized Code or Commands
Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appr…
缓解措施 (3)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
代码示例 (1)
The following web application code attempts to read an integer value from a request object. If the parseInt call fails, then the input is logged with an error message indicating what happened.
String val = request.getParameter("val"); try { int value = Integer.parseInt(val); } catch (NumberFormatException) { log.info("Failed to parse val = " + val); } ...
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-45679 OpenTelemetry eBPF Redis 状态消息泄露漏洞 — opentelemetry-ebpf-instrumentation 6.5 Medium2026-06-02
CVE-2026-6494 Red Hat Ansible Automation Platform(Red Hat AAP) 安全漏洞 — Red Hat Ansible Automation Platform 2 5.3 Medium2026-04-17
CVE-2025-14684 IBM Maximo Application Suite - Monitor Component 安全漏洞 — Maximo Application Suite - Monitor Component 4.0 Medium2026-03-25
CVE-2025-59784 2N Access Commander 安全漏洞 — 2N Access Commander 6.5AIMediumAI2026-03-04
CVE-2025-12755 IBM MQ 安全漏洞 — MQ Operator 4.0 Medium2026-02-17
CVE-2025-11537 Keycloak 安全漏洞 — Red Hat Build of Keycloak 5.0 Medium2026-02-10
CVE-2026-1337 Neo4j 安全漏洞 — Enterprise Edition 6.1AIMediumAI2026-02-06
CVE-2025-66577 cpp-httplib 安全漏洞 — cpp-httplib 5.3 Medium2025-12-05
CVE-2025-20384 Splunk Cloud Platform和Splunk Enterprise 安全漏洞 — Splunk Enterprise 5.3 Medium2025-12-03
CVE-2025-36159 IBM Concert 安全漏洞 — Concert 6.2 Medium2025-11-20
CVE-2025-11627 WordPress plugin Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue 安全漏洞 — Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue 6.5 Medium2025-10-30
CVE-2025-36081 IBM Concert Software 安全漏洞 — Concert Software 5.3 Medium2025-10-28
CVE-2025-58580 SICK AG Enterprise Analytics 安全漏洞 — Enterprise Analytics 6.5 Medium2025-10-06
CVE-2025-10217 Hitachi Energy Asset Suite 安全漏洞 — Asset Suite 4.3AIMediumAI2025-09-30
CVE-2025-54812 Apache Log4cxx 安全漏洞 — Apache Log4cxx 6.1AIMediumAI2025-08-22
CVE-2025-54813 Apache Log4cxx 安全漏洞 — Apache Log4cxx 5.3AIMediumAI2025-08-22
CVE-2025-54389 Aide 安全漏洞 — aide 6.2 Medium2025-08-14
CVE-2025-54656 Apache Struts Extras 2 安全漏洞 — Apache Struts Extras 5.3AIMediumAI2025-07-30
CVE-2025-49846 Wire Swiss wire-ios 安全漏洞 — wire-ios 4.6AIMediumAI2025-07-03
CVE-2025-48432 Django 安全漏洞 — Django 4.0 Medium2025-06-05
CVE-2024-13949 ABB多款产品 安全漏洞 — ASPECT-Enterprise 6.8 Medium2025-05-22
CVE-2025-3942 Tridium Niagara Framework和Tridium Niagara Enterprise Security 安全漏洞 — Niagara Framework 4.3 Medium2025-05-22
CVE-2025-41429 appleple a-blog cms 安全漏洞 — a-blog cms 4.8 Medium2025-05-19
CVE-2025-36625 Tenable Network Security Nessus 安全漏洞 — Nessus 4.3 Medium2025-04-18
CVE-2024-52962 Fortinet FortiAnalyzer 安全漏洞 — FortiAnalyzer 5.0 Medium2025-04-08
CVE-2024-9606 LiteLLM 安全漏洞 — berriai/litellm 7.5 -2025-03-20
CVE-2024-12580 LibreChat 安全漏洞 — danny-avila/librechat 5.3 -2025-03-20
CVE-2025-25294 Envoy Gateway 安全漏洞 — gateway 5.3 Medium2025-03-06
CVE-2025-23405 Dario Health USB-C Blood Glucose Monitoring System 安全漏洞 — USB-C Blood Glucose Monitoring System Starter Kit Android Applications 5.3 Medium2025-02-28
CVE-2024-49355 IBM OpenPages with Watson 安全漏洞 — OpenPages with Watson 5.3 Medium2025-02-20

CWE-117(日志输出的转义处理不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 82 条 CVE 漏洞。