目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-552 对外部实体的文件或目录可访问 类漏洞列表 207

CWE-552 对外部实体的文件或目录可访问 类弱点 207 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-552属于权限配置不当类漏洞,指产品错误地将文件或目录暴露给未授权的外部实体。攻击者通常利用此缺陷,通过直接访问服务器根目录下的敏感文件,窃取机密数据或执行恶意操作。开发者应避免在Web或FTP服务器中存放敏感文件,并实施严格的访问控制机制,确保仅授权用户可访问特定资源,从而防止信息泄露。

MITRE CWE 官方描述
CWE:CWE-552 外部可访问的文件或目录 英文:The product makes files or directories accessible to unauthorized actors, even though they should not be. Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.
常见影响 (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
缓解措施 (1)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
代码示例 (2)
The following Azure command updates the settings for a storage account:
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access true
Bad · Shell
az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false
Good · Shell
The following Google Cloud Storage command gets the settings for a storage account named 'BUCKET_NAME':
gsutil iam get gs://BUCKET_NAME
Informative · Shell
{ "bindings":[{ "members":[ "projectEditor: PROJECT-ID", "projectOwner: PROJECT-ID" ], "role":"roles/storage.legacyBucketOwner" }, { "members":[ "allUsers", "projectViewer: PROJECT-ID" ], "role":"roles/storage.legacyBucketReader" } ] }
Bad · JSON
CVE ID标题CVSS风险等级Published
CVE-2019-25239 V-SOL GPON/EPON OLT Platform 安全漏洞 — GPON/EPON OLT Platform 7.5 High2025-12-24
CVE-2018-25145 Microhard Systems IPn4G 安全漏洞 — Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download 6.5 Medium2025-12-24
CVE-2025-14896 kroki 安全漏洞 — kroki 7.5 High2025-12-18
CVE-2025-14697 Sixun Shanghui Business Management System 安全漏洞 — Sixun Shanghui Group Business Management System 3.7 Low2025-12-15
CVE-2025-14442 WordPress plugin Secure Copy Content Protection and Content Locking 安全漏洞 — Secure Copy Content Protection and Content Locking 5.3 Medium2025-12-12
CVE-2025-12747 WordPress plugin Tainacan 安全漏洞 — Tainacan 5.3 Medium2025-11-21
CVE-2025-12894 WordPress plugin Import WP 安全漏洞 — Import WP – Export and Import CSV and XML files to WordPress 5.3 Medium2025-11-21
CVE-2021-4463 Longjing BEMS API 安全漏洞 — BEMS API 7.5 -2025-11-12
CVE-2025-11959 Premierturk Excavation Management Information System 安全漏洞 — Excavation Management Information System 8.1 High2025-11-11
CVE-2025-33150 IBM Cognos Analytics Certified Containers 安全漏洞 — Cognos Analytics Certified Containers 5.3 Medium2025-11-10
CVE-2025-58152 Century Systems FutureNet MA-X series 安全漏洞 — FutureNet MA-X series 5.3 Medium2025-10-31
CVE-2025-11965 Eclipse Vert.x 安全漏洞 — Vert.x 7.5AIHighAI2025-10-22
CVE-2025-31996 HCL Unica Platform 安全漏洞 — Unica Platform 5.3 Medium2025-10-13
CVE-2025-59976 Juniper Networks Junos Space 安全漏洞 — Junos Space 6.5 Medium2025-10-09
CVE-2025-61734 Apache Kylin 安全漏洞 — Apache Kylin 9.1AICriticalAI2025-10-02
CVE-2025-3025 Gen Digital CCleaner 安全漏洞 — CCleaner 7.3 High2025-09-15
CVE-2025-59054 dstack 安全漏洞 — dstack 9.9 -2025-09-12
CVE-2025-9273 CData API Server 安全漏洞 — API Server 6.5 -2025-09-02
CVE-2025-52460 DOS & CO SS1 安全漏洞 — SS1 7.5 -2025-08-28
CVE-2025-43758 Liferay Portal和Liferay DXP 安全漏洞 — Portal 7.5AIHighAI2025-08-22
CVE-2009-10005 ContentKeeper Web Appliance 安全漏洞 — Web Appliance 7.5AIHighAI2025-08-20
CVE-2025-43749 Liferay Portal和Liferay DXP 安全漏洞 — Portal 7.5AIHighAI2025-08-20
CVE-2025-23276 NVIDIA GPU Display Driver 安全漏洞 — GPU Display Drivers 7.8 High2025-08-02
CVE-2025-30103 Dell SmartFabric OS10 Software 安全漏洞 — SmartFabric OS10 Software 5.5 Medium2025-07-30
CVE-2025-53536 Roo Code 安全漏洞 — Roo-Code 8.1 High2025-07-07
CVE-2025-49797 Brother Industries Multiple driver installers for Windows 安全漏洞 — Multiple driver installers for Windows 7.8AIHighAI2025-06-25
CVE-2024-56731 Gogs 安全漏洞 — gogs 10.0 Critical2025-06-24
CVE-2025-0620 Samba 安全漏洞 4.9 Medium2025-06-06
CVE-2025-40908 libyaml 安全漏洞 — YAML::LibYAML 7.5 -2025-06-01
CVE-2025-4634 jct-aq Airpointer 2D 安全漏洞 — Airpointer 4.1 Medium2025-05-30

CWE-552(对外部实体的文件或目录可访问) 是常见的弱点类别,本平台收录该类弱点关联的 207 条 CVE 漏洞。