目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-552 对外部实体的文件或目录可访问 类漏洞列表 207

CWE-552 对外部实体的文件或目录可访问 类弱点 207 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-552属于权限配置不当类漏洞,指产品错误地将文件或目录暴露给未授权的外部实体。攻击者通常利用此缺陷,通过直接访问服务器根目录下的敏感文件,窃取机密数据或执行恶意操作。开发者应避免在Web或FTP服务器中存放敏感文件,并实施严格的访问控制机制,确保仅授权用户可访问特定资源,从而防止信息泄露。

MITRE CWE 官方描述
CWE:CWE-552 外部可访问的文件或目录 英文:The product makes files or directories accessible to unauthorized actors, even though they should not be. Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.
常见影响 (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
缓解措施 (1)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
代码示例 (2)
The following Azure command updates the settings for a storage account:
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access true
Bad · Shell
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false
Good · Shell
The following Google Cloud Storage command gets the settings for a storage account named 'BUCKET_NAME':
gsutil iam get gs://BUCKET_NAME
Informative · Shell
{ "bindings":[{ "members":[ "projectEditor: PROJECT-ID", "projectOwner: PROJECT-ID" ], "role":"roles/storage.legacyBucketOwner" }, { "members":[ "allUsers", "projectViewer: PROJECT-ID" ], "role":"roles/storage.legacyBucketReader" } ] }
Bad · JSON
CVE ID标题CVSS风险等级Published
CVE-2026-45543 Nextcloud 删除表单协作者后残留文件分享漏洞 — security-advisories 5.3 Medium2026-06-01
CVE-2026-40425 Danelec Marine Danelec MacGregor Voyage Data Recorder 安全漏洞 — MacGregor Voyage Data Recorder (VDR) G4e 5.7 Medium2026-05-29
CVE-2024-11399 Synology BeeDrive 安全漏洞 — BeeDrive for desktop 6.8 Medium2026-05-27
CVE-2026-40564 Apache Flink Kubernetes Operator 安全漏洞 — Apache Flink Kubernetes Operator--2026-05-26
CVE-2026-8704 Crypt::DSA 安全漏洞 — Crypt::DSA--2026-05-15
CVE-2026-42063 F5 BIG-IP 安全漏洞 — BIG-IP 4.9 Medium2026-05-13
CVE-2026-40631 F5 BIG-IP 安全漏洞 — BIG-IP 6.5 Medium2026-05-13
CVE-2026-32185 Microsoft Teams 安全漏洞 — Microsoft Teams for Android 5.5 Medium2026-05-12
CVE-2026-35440 Microsoft Word 安全漏洞 — Microsoft 365 Apps for Enterprise 5.5 Medium2026-05-12
CVE-2025-7389 Progress OpenEdge 安全漏洞 — OpenEdge 6.5 -2026-04-14
CVE-2019-25709 CF Image Hosting Script 安全漏洞 — CF Image Hosting Script 9.8 Critical2026-04-12
CVE-2026-33698 Chamilo LMS 安全漏洞 — chamilo-lms 9.8 -2026-04-10
CVE-2021-47960 Synology SSL VPN Client 安全漏洞 — Synology SSL VPN Client 6.5 Medium2026-04-10
CVE-2026-35446 LORIS Neuroimaging Platform 安全漏洞 — Loris 7.7 High2026-04-08
CVE-2026-34392 LORIS Neuroimaging Platform 安全漏洞 — Loris 7.5 High2026-04-08
CVE-2026-34361 HAPI FHIR 安全漏洞 — org.hl7.fhir.core 9.3 Critical2026-03-31
CVE-2026-4900 Code-Projects Online Food Ordering System 安全漏洞 — Online Food Ordering System 5.3 Medium2026-03-26
CVE-2021-4474 Ruckus Wireless多款产品 安全漏洞 — RUCKUS Access Point 4.9 Medium2026-03-26
CVE-2026-4760 Codra Panorama Suite 安全漏洞 — Panorama Suite 7.5 -2026-03-25
CVE-2026-4532 Code-Projects Simple Food Ordering System 安全漏洞 — Simple Food Ordering System 5.3 Medium2026-03-22
CVE-2016-20025 ZKTeco ZKAccess Professional 安全漏洞 — ZKTeco ZKAccess Professional 8.8 High2026-03-15
CVE-2026-29066 TinaCMS 安全漏洞 — cli 6.2 Medium2026-03-12
CVE-2018-25164 Phpmassmail EverSync 安全漏洞 — EverSync 7.5 High2026-03-06
CVE-2026-2331 SICK Lector85x和SICK SICK Lector83x 安全漏洞 — SICK Lector85x 9.8 Critical2026-03-06
CVE-2026-2330 SICK Lector85x和SICK SICK Lector83x 安全漏洞 — SICK Lector85x 9.4 Critical2026-03-06
CVE-2026-24732 Hallo Welt! BlueSpice 安全漏洞 — BlueSpice 6.5AIMediumAI2026-03-04
CVE-2020-37082 webERP 安全漏洞 — webERP 9.8 Critical2026-02-03
CVE-2026-25137 Nixpkgs 安全漏洞 — nixpkgs 9.1 Critical2026-02-02
CVE-2025-12648 WordPress plugin WP-Members Membership Plugin 安全漏洞 — WP-Members Membership Plugin 5.3 Medium2026-01-07
CVE-2025-15153 PbootCMS 安全漏洞 — PbootCMS 3.7 Low2025-12-28

CWE-552(对外部实体的文件或目录可访问) 是常见的弱点类别,本平台收录该类弱点关联的 207 条 CVE 漏洞。