目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-428 未经引用的搜索路径或元素 类漏洞列表 304

CWE-428 未经引用的搜索路径或元素 类弱点 304 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-428 是未加引号搜索路径或元素漏洞,属于路径处理缺陷。当路径元素含空格且未加引号时,系统可能解析错误,导致访问父目录资源。攻击者可通过在父目录放置恶意文件(如 Program.exe)诱导特权程序执行,从而提升权限。开发者应避免使用含空格的路径,或对路径元素严格加引号,确保解析准确,防止路径遍历和权限提升风险。

MITRE CWE 官方描述
CWE:CWE-428 未加引号的路径或元素 (Unquoted Search Path or Element) 英文:产品使用的搜索路径中包含一个未加引号的元素,该元素包含空格或其他分隔符。这可能导致产品访问父路径中的资源。 如果恶意用户能够访问文件系统,则可以通过插入类似 "C:\Program.exe" 的文件,由使用 WinExec 的特权程序执行,从而实现权限提升。
常见影响 (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
缓解措施 (3)
ImplementationProperly quote the full search path before executing a program on the system.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
代码示例 (1)
The following example demonstrates the weakness.
UINT errCode = WinExec( "C:\\Program Files\\Foo\\Bar", SW_SHOW );
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2024-22437 Hewlett Packard Enterprise MSA SAN Storage和VSS Provider and CAPI Proxy software 安全漏洞 — HPE MSA SAN Storage VSS Provider and CAPI Proxy Software 7.3 High2024-04-15
CVE-2024-1618 Faronics Deep Freeze 代码问题漏洞 — Deep Freeze Server Standard 7.8 High2024-03-12
CVE-2024-25552 Wiesemann & Theis Com Redirector Legacy 安全漏洞 — Com Redirector PnP 7.8 High2024-03-01
CVE-2024-1201 PanteraSoft HDD Health 代码问题漏洞 — HDD Health 7.8 High2024-02-02
CVE-2020-24682 B&R Industrial Automation Studio 代码问题漏洞 — Automation Studio 7.2 High2024-02-02
CVE-2023-7043 ESET Endpoint Security和ESET Endpoint Antivirus 安全漏洞 — ESET Endpoint Security 3.3 Low2024-01-31
CVE-2023-6631 SUBNET PowerSYSTEM Center 安全漏洞 — PowerSYSTEM Center 7.8 High2024-01-08
CVE-2023-0392 Okta LDAP Agent 安全漏洞 — LDAP Agent 8.8AIHighAI2023-11-08
CVE-2023-42486 Fortect 代码问题漏洞 — Fortect 6.3 Medium2023-09-27
CVE-2023-5012 Topaz Labs OFD 代码问题漏洞 — OFD 5.3 Medium2023-09-16
CVE-2023-4991 NextBX QWAlerter 代码问题漏洞 — QWAlerter 7.8 High2023-09-15
CVE-2023-2685 ABB Advance Optima OPC 代码问题漏洞 — AO-OPC 7.2 High2023-07-28
CVE-2023-3842 Pointware EasyInventory 代码问题漏洞 — EasyInventory 7.8 High2023-07-23
CVE-2023-3438 Trellix MOVE 代码问题漏洞 — Trellix Move 4.4 Medium2023-07-03
CVE-2022-0357 Bitdefender Total Security 代码问题漏洞 — Total Security 6.7 Medium2023-05-24
CVE-2023-2644 HID Global DigitalPersona FPSensor 代码问题漏洞 — FPSensor 5.3 Medium2023-05-11
CVE-2023-2417 KS-Soft HostMonitor 代码问题漏洞 — Advanced Host Monitor 5.3 Medium2023-04-29
CVE-2023-2331 42Gears Surelock 代码问题漏洞 — Surelock Windows 7.8 High2023-04-27
CVE-2023-24575 Dell Multifunction Printer E525w 安全漏洞 — Dell Multifunction Printer E525w Driver and Software Suite 7.8 High2023-02-21
CVE-2023-0887 Tftpd64 代码问题漏洞 — TFTPD64-SE 7.0 High2023-02-17
CVE-2022-4258 HIMA Paul Hildebrandt X-OPC 、X-OTS 代码问题漏洞 — HOPCS 7.8 High2023-01-16
CVE-2022-4429 Avira Security 代码问题漏洞 — Avira Security for Windows 5.3 Medium2023-01-10
CVE-2022-33920 Dell GeoDrive 代码问题漏洞 — GeoDrive 7.8 High2022-10-12
CVE-2022-35292 SAP Business One 代码问题漏洞 — SAP Business One 7.3 -2022-09-13
CVE-2016-15003 FileZilla 代码问题漏洞 — Client 6.3 Medium2022-07-18
CVE-2022-31591 SAP BusinessObjects BW Publisher Service 代码问题漏洞 — SAP BusinessObjects (BW Publisher Service) 7.8 -2022-07-12
CVE-2022-2147 Cloudflare Warp 代码问题漏洞 — WARP 6.5 Medium2022-06-23
CVE-2022-31590 SAP PowerDesigner 代码问题漏洞 — SAP PowerDesigner Proxy 16.7 7.8 -2022-06-14
CVE-2022-0883 Snow License Manager 代码问题漏洞 — Snow License Manager 7.3 High2022-05-18
CVE-2020-14521 Mitsubishi Electric Factory Automation 多款产品代码问题漏洞 — C Controller Interface Module Utility 8.3 High2022-02-11

CWE-428(未经引用的搜索路径或元素) 是常见的弱点类别,本平台收录该类弱点关联的 304 条 CVE 漏洞。