目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-1284 类漏洞列表 151

CWE-1284 类弱点 151 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1284属于输入验证缺陷,指程序未正确校验输入中指定的数量属性。攻击者常通过提交异常数值(如极大长度或频率)触发资源耗尽、计算错误或逻辑越界,导致服务拒绝或系统崩溃。开发者应实施严格的边界检查,确保输入数量符合预期范围,并在分配资源或控制循环前进行有效性验证,从而防止因非法数量引发的安全风险。

MITRE CWE 官方描述
CWE:CWE-1284 输入中指定数量的验证不当 英文:产品接收预期用于指定数量(如大小或长度)的输入,但未对该数量是否具有所需属性进行验证或进行了错误的验证。 指定的数量包括大小、长度、频率、价格、速率、操作次数、时间等。代码可能依赖指定的数量来分配资源、执行计算、控制迭代等。
常见影响 (1)
Other, Integrity, AvailabilityVaries by Context, DoS: Resource Consumption (CPU), Modify Memory, Read Memory
When the quantity is not properly validated, then attackers can specify malicious quantities to cause excessive resource allocation, trigger unexpected failures, enable buffer overflows, etc.
缓解措施 (1)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
代码示例 (2)
This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated.
... public static final double price = 20.00; int quantity = currentUser.getAttribute("quantity"); double total = price * quantity; chargeUser(total); ...
Bad · Java
This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares.
... #define MAX_DIM 100 ... /* board dimensions */ int m,n, error; board_square_t *board; printf("Please specify the board height: \n"); error = scanf("%d", &m); if ( EOF == error ){ die("No integer passed: Die evil hacker!\n"); } printf("Please specify the board width: \n"); error = scanf("%d", &n); if ( EOF == error ){ die("No integer passed: Die evil hacker!\n"); } if ( m > MAX_DIM || n > MAX_DIM ) { die("Value too large: Die evil hacker!\n"); } board = (board_square_t*) malloc( m * n * sizeof(board_square_t)); ...
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2013-0270 OpenStack Keystone 拒绝服务漏洞 — Red Hat OpenStack Platform 13 (Queens) 6.5 Medium2013-04-12

CWE-1284 是常见的弱点类别,本平台收录该类弱点关联的 151 条 CVE 漏洞。