目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-212 敏感数据的不恰当跨边界移除 类漏洞列表 49

CWE-212 敏感数据的不恰当跨边界移除 类弱点 49 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-212 属于信息泄露类漏洞,指产品在存储或传输资源前未彻底清除敏感数据。攻击者常通过访问被遗弃的文件、数据库记录或网络包,直接获取这些残留的机密信息,从而实施身份盗窃或数据滥用。开发者应避免此风险,需在数据复用或销毁前,采用安全擦除技术彻底清除敏感内容,并严格限制资源访问权限,确保未授权方无法读取残留数据。

MITRE CWE 官方描述
CWE:CWE-212 存储或传输前未适当移除敏感信息 英文:产品存储、传输或共享包含敏感信息的资源,但在将资源提供给未授权行为者之前,未适当移除该信息。 可能包含敏感数据的资源包括文档、数据包、消息、数据库等。虽然这些数据对于共享该资源的个别用户或小范围用户可能有用,但在将资源分享给受信任组之外的人员之前,可能需要移除这些数据。移除过程有时称为清理(cleansing)或擦除(scrubbing)。例如,用于编辑文档的产品可能不会移除敏感数据,如审阅者注释或文档存储的本地路径名。或者,代理可能在向 Internet 站点发出传出请求之前,未从标头中移除内部 IP 地址。
常见影响 (1)
ConfidentialityRead Files or Directories, Read Application Data
Sensitive data may be exposed to an unauthorized actor in another control sphere. This may have a wide range of secondary consequences that will depend on what data is exposed. One possibility is the exposure of system data - such as file l…
缓解措施 (5)
RequirementsClearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Implementation, OperationSome tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed. When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metada…
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
ImplementationAvoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.
代码示例 (1)
This code either generates a public HTML user information page or a JSON response containing the same user information.
// API flag, output JSON if set $json = $_GET['json'] $username = $_GET['user'] if(!$json) { $record = getUserRecord($username); foreach($record as $fieldName => $fieldValue) { if($fieldName == "email_address") { // skip displaying user emails continue; } else{ writeToHtmlPage($fieldName,$fieldValue); } } } else { $record = getUserRecord($username); echo json_encode($record); }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2026-45046 gryph 安全漏洞 — gryph 5.5 Medium2026-05-27
CVE-2026-42186 OpenBao 安全漏洞 — openbao--2026-05-14
CVE-2024-43384 PHOENIX CONTACT多款产品 安全漏洞 — FL MGUARD 2102 8.0 High2026-05-07
CVE-2026-43528 OpenClaw 安全漏洞 — OpenClaw 6.5 Medium2026-05-05
CVE-2026-43824 Argo CD 安全漏洞 — Argo CD 7.7 High2026-05-02
CVE-2026-20928 Microsoft Windows 安全漏洞 — Windows 10 Version 1607 4.6 Medium2026-04-14
CVE-2026-39937 MediaWiki - CentralAuth Extension 安全漏洞 — Mediawiki - CentralAuth Extension 7.5AIHighAI2026-04-07
CVE-2026-34214 trino 安全漏洞 — trino 7.7 High2026-03-31
CVE-2026-1182 GitLab Enterprise Edition(EE)和GitLab Community Edition(CE) 安全漏洞 — GitLab 4.3 Medium2026-03-12
CVE-2026-1732 GitLab 安全漏洞 — GitLab 4.3 Medium2026-03-11
CVE-2026-27640 tfplan2md 安全漏洞 — tfplan2md 5.3AIMediumAI2026-02-25
CVE-2025-8860 QEMU 安全漏洞 3.3 Low2026-02-18
CVE-2025-68131 cbor2 安全漏洞 — cbor2 7.5 -2025-12-31
CVE-2025-14267 M-Files Server 安全漏洞 — M-Files Server 6.5AIMediumAI2025-12-19
CVE-2025-65000 Checkmk 安全漏洞 — Checkmk 7.5AIHighAI2025-12-18
CVE-2025-65965 grype 安全漏洞 — grype 6.5AIMediumAI2025-11-25
CVE-2025-62483 Zoom Clients 安全漏洞 — Zoom Clients 5.3 Medium2025-11-13
CVE-2025-64326 Weblate 安全漏洞 — weblate 2.6 Low2025-11-06
CVE-2025-0011 AMD Graphics Driver 安全漏洞 — AMD Ryzen™ 8000 Series Desktop Processors 3.3 Low2025-09-06
CVE-2025-58049 XWiki Platform 安全漏洞 — xwiki-platform 5.8 Medium2025-08-28
CVE-2025-48708 Artifex Ghostscript 安全漏洞 — Ghostscript 4.0 Medium2025-05-23
CVE-2025-27221 Ruby 安全漏洞 — URI 3.2 Low2025-03-03
CVE-2025-20118 Cisco APIC 安全漏洞 — Cisco Application Policy Infrastructure Controller (APIC) 4.4 Medium2025-02-26
CVE-2024-8474 OpenVPN Connect 安全漏洞 — OpenVPN Connect 7.5 -2025-01-06
CVE-2024-56353 JetBrains TeamCity 安全漏洞 — TeamCity 5.5 Medium2024-12-20
CVE-2024-41156 Hitachi Energy TRO600 安全漏洞 — TRO600 2.7 Low2024-10-29
CVE-2024-43554 Microsoft Windows Kernel Mode Drivers 安全漏洞 — Windows 10 Version 1809 5.5 Medium2024-10-08
CVE-2024-29120 Apache StreamPark 安全漏洞 — Apache StreamPark 8.8AIHighAI2024-07-17
CVE-2024-31493 Fortinet FortiSOAR 授权问题漏洞 — FortiSOAR 6.0 Medium2024-06-03
CVE-2024-32028 OpenTelemetry .NET 安全漏洞 — opentelemetry-dotnet 4.1 Medium2024-04-12

CWE-212(敏感数据的不恰当跨边界移除) 是常见的弱点类别,本平台收录该类弱点关联的 49 条 CVE 漏洞。