目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-59 在文件访问前对链接解析不恰当(链接跟随) 类漏洞列表 450

CWE-59 在文件访问前对链接解析不恰当(链接跟随) 类弱点 450 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-59 属于文件访问类漏洞,指程序在访问文件前未正确验证链接解析结果。攻击者常通过创建指向敏感资源的符号链接或快捷方式,诱导程序读取非预期文件,从而引发信息泄露或权限提升。开发者应避免直接使用用户输入的文件名,需在访问前校验最终解析路径,确保其位于预期的安全目录内,防止链接劫持风险。

MITRE CWE 官方描述
CWE:CWE-59 文件访问前链接解析不当('Link Following') 英文:产品尝试基于文件名访问文件,但未能正确防止该文件名标识解析到非预期资源的链接或快捷方式。
常见影响 (2)
Confidentiality, Integrity, Access ControlRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
OtherExecute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
缓解措施 (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE ID标题CVSS风险等级Published
CVE-2023-42099 Intel Driver & Support Assistan 安全漏洞 — Driver & Support Assistant 7.8 -2024-05-03
CVE-2023-34283 NETGEAR RAX30 安全漏洞 — RAX30 4.6 -2024-05-03
CVE-2023-32179 VIPRE Antivirus 安全漏洞 — Antivirus Plus 7.8 -2024-05-03
CVE-2023-32178 VIPRE Antivirus 安全漏洞 — Antivirus Plus 7.8 -2024-05-03
CVE-2023-32175 VIPRE Antivirus 安全漏洞 — Antivirus Plus 7.8 -2024-05-03
CVE-2023-27347 G Data 安全漏洞 — Total Security 7.8 -2024-05-03
CVE-2024-23459 Zscaler Client Connector 安全漏洞 — Client Connector 7.1 High2024-05-02
CVE-2023-41971 Zscaler Client Connector 安全漏洞 — Client Connector 5.3 Medium2024-05-02
CVE-2024-29989 Microsoft Azure Monitor 安全漏洞 — Azure Monitor 8.4 High2024-04-09
CVE-2024-28907 Microsoft Brokering File System 安全漏洞 — Windows Server 2022, 23H2 Edition (Server Core installation) 7.8 High2024-04-09
CVE-2024-26216 Microsoft Windows File Server Resource Management Service 安全漏洞 — Windows Server 2019 7.3 High2024-04-09
CVE-2024-21447 Microsoft Windows Authentication Methods 安全漏洞 — Windows Server 2022 7.8 High2024-04-09
CVE-2024-26158 Microsoft Install Service 安全漏洞 — Windows 10 Version 1809 7.8 High2024-04-09
CVE-2024-29188 WiX Toolset 安全漏洞 — issues 7.8 High2024-03-24
CVE-2024-28916 Microsoft Xbox Gaming Services 安全漏洞 — Xbox Gaming Services 8.8 High2024-03-20
CVE-2024-1753 Buildah 安全漏洞 8.6 High2024-03-18
CVE-2024-21432 Microsoft Windows Update Stack 安全漏洞 — Windows 10 Version 1809 7.0 High2024-03-12
CVE-2024-26199 Microsoft Office 安全漏洞 — Microsoft 365 Apps for Enterprise 7.8 High2024-03-12
CVE-2024-0068 HYPR 安全漏洞 — Workforce Access 5.5 Medium2024-02-29
CVE-2024-21397 Microsoft Azure 安全漏洞 — Azure File Sync 5.3 Medium2024-02-13
CVE-2024-21329 Microsoft Azure Connected Machine Agent 安全漏洞 — Azure Connected Machine Agent 7.3 High2024-02-13
CVE-2024-1329 HashiCorp Nomad 安全漏洞 — Nomad 7.7 High2024-02-08
CVE-2023-7216 cpio 后置链接漏洞 — Red Hat Enterprise Linux 6 5.3 Medium2024-02-05
CVE-2023-6336 HYPR 后置链接漏洞 — Workforce Access 7.2 High2024-01-16
CVE-2023-6335 HYPR 后置链接漏洞 — Workforce Access 6.4 Medium2024-01-16
CVE-2023-42137 PAX Technology Android based POS 后置链接漏洞 — POS terminals 7.8 High2024-01-15
CVE-2023-31003 IBM Security Access Manager Appliance 安全漏洞 — Security Verify Access Appliance 8.4 High2024-01-11
CVE-2024-20656 Microsoft Visual Studio 安全漏洞 — Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) 7.8 High2024-01-09
CVE-2024-0206 Trellix Anti-Malware Engine 后置链接漏洞 — Anti-Malware Engine 7.1 High2024-01-09
CVE-2023-35624 Microsoft Azure Connected Machine Agent 安全漏洞 — Azure Connected Machine Agent 7.3 High2023-12-12

CWE-59(在文件访问前对链接解析不恰当(链接跟随)) 是常见的弱点类别,本平台收录该类弱点关联的 450 条 CVE 漏洞。