目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-427 对搜索路径元素未加控制 类漏洞列表 556

CWE-427 对搜索路径元素未加控制 类弱点 556 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-427 属于路径遍历类漏洞,指程序在搜索资源时,其路径中包含可由攻击者控制的目录。攻击者通常通过在该目录下放置恶意文件或库,诱导程序加载并执行,从而劫持系统控制权。开发者应避免使用相对路径或不可信的环境变量,转而采用绝对路径,并严格限制相关目录的写入权限,以确保资源加载的安全性。

MITRE CWE 官方描述
CWE:CWE-427 Uncontrolled Search Path Element(不受控制的搜索路径元素) 英文:产品使用固定或受控的搜索路径来查找资源,但该路径中的一个或多个位置可能受到非预期行为者的控制。 尽管此弱点可能出现在任何类型的资源中,但它通常在产品使用目录搜索路径来查找可执行文件或代码库时被引入,而该路径包含一个可由攻击者修改的目录,例如 "/tmp" 或当前工作目录。在基于 Windows 的系统中,当调用 `LoadLibrary` 或 `LoadLibraryEx` 函数且 DLL 名称不包含完全限定路径时,该函数遵循的搜索顺序包括两个可能不受控制的搜索路径元素:程序加载所在的目录和当前工作目录。在某些情况下,攻击可以远程进行,例如在使用 SMB 或 WebDAV 网络共享时。该路径中的一个或多个位置可能包括 Windows 驱动器根目录或其子目录。这通常存在于基于 Linux 的代码中,这些代码假设根目录(/)或其子目录(/etc 等)是受控的,或者存在递归访问父目录的代码。在 Windows 中,驱动器根目录及其某些子目录默认具有较弱的权限,这使得它们不受控制。在某些基于 Unix 的系统中,可能会创建一个包含空元素的 PATH,例如通过将空变量拼接到 PATH 中。这个空元素可能被解释为等同于当前工作目录,这可能是一个不受信任的搜索元素。在软件包管理框架(例如 npm、RubyGems 或 PyPi)中,框架可能会识别对第三方库或其他包的依赖,然后查询包含所需包的存储库。框架可能会在私有存储库之前搜索公共存储库。攻击者可以通过在公共存储库中放置一个与私有存储库中的包同名的恶意包来利用这一点。搜索路径可能不直接由依赖框架的开发者控制,但这种搜索顺序实际上包含了一个不受信任的元素。
常见影响 (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
缓解措施 (5)
Architecture and Design, ImplementationHard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
ImplementationWhen invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code ref…
ImplementationRemove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
ImplementationCheck your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory. Since this is a denylist approach, it might not be a complete solution.
ImplementationUse other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of finding the program using the PATH environment variable, while execl() and execv() require a full path.
代码示例 (2)
The following code is from a web application that allows users access to an interface through which they can update their password on the system. In this environment, user passwords can be managed using the Network Information System (NIS), which is commonly used on UNIX systems. When performing NIS updates, part of the process for updating passwords is to run a make command in the /var/yp directo…
... System.Runtime.getRuntime().exec("make"); ...
Bad · Java
In versions of Go prior to v1.19, the LookPath function would follow the conventions of the runtime OS and look for a program in the directiories listed in the current path [REF-1325].
func ExecuteGitCommand(name string, arg []string) error { c := exec.Command(name, arg...) var err error c.Path, err = exec.LookPath(name) if err != nil { return err } }
Bad · Go
CVE ID标题CVSS风险等级Published
CVE-2017-5175 Advantech WebAccess 安全漏洞 — Advantech WebAccess Versions 8.1 and prior. 7.8 -2018-05-09
CVE-2017-14010 iniNet SpiderControl MicroBrowser 安全漏洞 — MicroBrowser 7.8 -2018-04-26
CVE-2018-5457 Vyaire Medical CareFusion Upgrade Utility 安全漏洞 — Vyaire Medical CareFusion Upgrade Utility Vulnerability 7.0 -2018-02-06
CVE-2017-5170 Moxa SoftNVR-IA Live Viewer 安全漏洞 — Moxa SoftNVR-IA Live Viewer 7.2 -2018-01-18
CVE-2017-12313 Cisco Network Academy Packet Tracer software 安全漏洞 — Cisco Network Academy Packet Tracer 6.7 -2017-11-16
CVE-2017-12314 Cisco FindIT Network Discovery Utility 安全漏洞 — Cisco FindIT Discovery Utility 7.8 -2017-11-16
CVE-2017-14020 多款AutomationDirect产品安全漏洞 — CLICK Programming Software (Part Number C0-PGMSW) 7.8 -2017-11-13
CVE-2017-14029 Trihedral VTScada 安全漏洞 — Trihedral Engineering Limited VTScada 7.8 -2017-11-06
CVE-2017-14017 Progea Movicon 安全漏洞 — Progea Movicon SCADA/HMI 7.8 -2017-10-19
CVE-2017-5147 AzeoTech DAQFactory 安全漏洞 — AzeoTech DAQFactory 8.4 -2017-09-09
CVE-2017-11158 Synology Cloud Station Drive for Windows 安装程序漏洞 — Cloud Station Drive 7.8 -2017-08-31
CVE-2017-12717 Advantech WebAccess 安全漏洞 — Advantech WebAccess 7.8 -2017-08-30
CVE-2017-11159 Synology Photo Station Uploader for Windows 安全漏洞 — Photo Station Uploader 7.8 -2017-08-23
CVE-2017-5176 Rockwell Automation Connected Components Workbench 安全漏洞 — Rockwell Automation Connected Components Workbench 7.0 -2017-05-19
CVE-2017-6051 BLF-Tech LLC VisualView HMI 安全漏洞 — BLF-Tech LLC VisualView HMI 7.8 -2017-05-08
CVE-2017-6033 Schneider Electric Interactive Graphical SCADA System Software 安全漏洞 — Schneider Electric Interactive Graphical SCADA System Software 7.8 -2017-04-07

CWE-427(对搜索路径元素未加控制) 是常见的弱点类别,本平台收录该类弱点关联的 556 条 CVE 漏洞。