目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-404 不恰当的资源关闭或释放 类漏洞列表 356

CWE-404 不恰当的资源关闭或释放 类弱点 356 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-404属于资源管理缺陷,指程序在资源重用前未正确释放或释放不当。攻击者常利用此漏洞耗尽系统资源,导致拒绝服务或引发内存泄漏。开发者需确保在所有执行路径(包括异常和超时)中均正确释放资源,严格管理资源生命周期,防止资源泄露以维持系统稳定性。

MITRE CWE 官方描述
CWE:CWE-404 不正确的资源关闭或释放 (Improper Resource Shutdown or Release) 英文:产品在资源被重新使用前未释放或不正确地释放了资源。 当资源被创建或分配时,开发人员有责任正确释放该资源,并考虑到所有潜在的过期或失效路径,例如设定的时间段或撤销。
常见影响 (2)
Availability, OtherDoS: Resource Consumption (Other), Varies by Context
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
ConfidentialityRead Application Data
When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
缓解措施 (4)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
ImplementationIt is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
ImplementationMemory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
ImplementationWhen releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
代码示例 (2)
The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is …
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } }
Bad · Java
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } fil.Close(); }
Good · Java
This code attempts to open a connection to a database and catches any exceptions that may occur.
try { Connection con = DriverManager.getConnection(some_connection_string); } catch ( Exception e ) { log( e ); }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2022-3621 Linux kernel 代码问题漏洞 — Kernel 4.3 Medium2022-10-20
CVE-2022-3606 Linux kernel 安全漏洞 — Kernel 3.5 Low2022-10-19
CVE-2022-3594 Linux kernel 安全漏洞 — Kernel 5.3 Medium2022-10-18
CVE-2022-3533 Linux kernel 安全漏洞 — Kernel 3.5 Low2022-10-17
CVE-2022-3543 Linux kernel 安全漏洞 — Kernel 3.5 Low2022-10-17
CVE-2022-3544 Linux kernel 安全漏洞 — Kernel 3.5 Low2022-10-17
CVE-2022-3551 X.org Server 安全漏洞 — Server 3.5 Low2022-10-17
CVE-2022-3553 X.org Server 安全漏洞 — Server 3.5 Low2022-10-17
CVE-2022-3563 Linux kernel 安全漏洞 — Kernel 3.5 Low2022-10-17
CVE-2022-3524 Linux kernel 安全漏洞 — Kernel 4.3 Medium2022-10-16
CVE-2022-3526 Linux kernel 安全漏洞 — Kernel 5.3 Medium2022-10-16
CVE-2022-3354 Open5GS 安全漏洞 — Open5GS 3.5 Low2022-09-28
CVE-2022-3299 Open5GS 安全漏洞 — Open5GS 4.3 Medium2022-09-26
CVE-2022-2776 Gym Management System 安全漏洞 — Gym Management System 5.4 Medium2022-08-11
CVE-2022-35272 F5 BIG-IP 安全漏洞 — BIG-IP 7.5 High2022-08-04
CVE-2022-35240 F5 BIG-IP 安全漏洞 — BIG-IP 7.5 High2022-08-04
CVE-2022-31182 Discourse 安全漏洞 — discourse 5.3 Medium2022-08-01
CVE-2022-2591 TEM FLEX-1085 安全漏洞 — FLEX-1085 7.5 High2022-07-31
CVE-2022-2191 Eclipse Jetty 安全漏洞 — Eclipse Jetty 7.5 High2022-07-07
CVE-2022-23717 Ping Identity Windows PingId 安全漏洞 — PingID Windows Login 5.0 Medium2022-06-30
CVE-2017-20024 Solar-Log GmbH 安全漏洞 — Solar-Log 5.3 Medium2022-06-09
CVE-2022-25762 Apache Tomcat 代码问题漏洞 — Apache Tomcat 9.4 -2022-05-13
CVE-2022-1289 tildearrow Furnace 安全漏洞 — Furnace 4.3 Medium2022-04-10
CVE-2017-20015 WEKA INTEREST Security Scanner 安全漏洞 — INTEREST Security Scanner 2.8 Low2022-03-28
CVE-2017-20014 WEKA INTEREST Security Scanner 安全漏洞 — INTEREST Security Scanner 2.8 Low2022-03-28
CVE-2017-20013 WEKA INTEREST Security Scanner 安全漏洞 — INTEREST Security Scanner 2.8 Low2022-03-28
CVE-2017-20012 WEKA INTEREST Security Scanner 安全漏洞 — INTEREST Security Scanner 2.8 Low2022-03-28
CVE-2017-20011 WEKA INTEREST Security Scanner 安全漏洞 — INTEREST Security Scanner 2.8 Low2022-03-28
CVE-2010-10001 Shemes Grabit 安全漏洞 — GrabIt 5.3 Medium2022-03-28
CVE-2015-10002 Kiddoware Kids Place 安全漏洞 — Kids Place 5.3 Medium2022-03-28

CWE-404(不恰当的资源关闭或释放) 是常见的弱点类别,本平台收录该类弱点关联的 356 条 CVE 漏洞。