目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-88 参数注入或修改 类漏洞列表 161

CWE-88 参数注入或修改 类弱点 161 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-88 属于参数注入漏洞,指程序在构建外部命令字符串时,未正确界定参数边界。攻击者通过注入特殊字符(如空格或引号),将恶意参数伪装成合法选项,从而执行非预期的系统命令。开发者应避免直接拼接用户输入,转而使用接受独立参数数组的 API 调用命令,或严格过滤输入中的特殊字符,以确保命令解析的准确性与安全性。

MITRE CWE 官方描述
CWE:CWE-88 命令中的参数分隔符处理不当('Argument Injection') 英文:产品为在另一个控制域中的独立组件执行的命令构建字符串,但未正确分隔该命令字符串内的预期参数、选项或开关。 在使用字符串插值创建命令时,开发人员可能假设仅会处理其指定的参数/选项。当程序员以某种方式对命令进行编码以防止恶意提供单独的命令时(例如,针对 shell 元字符的情况),这种假设可能会更加强烈。在构建命令时,开发人员可能会使用空格或其他分隔符,这些分隔符在命令执行时用于分隔参数。然而,如果攻击者能够提供包含参数分隔符的不可信输入,则生成的命令将包含比开发人员预期更多的参数。攻击者随后可能能够改变命令的行为。根据多余参数所支持的功能,这可能会产生与安全相关的后果。
常见影响 (1)
Confidentiality, Integrity, Availability, OtherExecute Unauthorized Code or Commands, Alter Execution Logic, Read Application Data, Modify Application Data
An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior.
缓解措施 (5)
ImplementationWhere possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or …
Effectiveness: High
Architecture and DesignUnderstand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationDirectly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalizat…
代码示例 (2)
Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed.
my $arg = GetArgument("filename"); do_listing($arg); sub do_listing { my($fname) = @_; if (! validate_name($fname)) { print "Error: name is not well-formed!\n"; return; } # build command my $cmd = "/bin/ls -l $fname"; system($cmd); } sub validate_name { my($name) = @_; if ($name =~ /^[\w\-]+$/) { return(1); } else { return(0); } }
Bad · Perl
if ($name =~ /^\w[\w\-]+$/) ...
Good · Perl
CVE-2016-10033 / [REF-1249] provides a useful real-world example of this weakness within PHPMailer.
CVE ID标题CVSS风险等级Published
CVE-2026-41013 租户控制逗号 smuggle 任意 CIFS 挂载选项 — smb-volume-release--2026-06-01
CVE-2026-49373 JetBrains TeamCity 参数注入漏洞 — TeamCity 7.1 High2026-05-29
CVE-2026-44449 Lumiverse 参数注入漏洞 — Lumiverse 9.1 Critical2026-05-26
CVE-2026-44450 Lumiverse 参数注入漏洞 — Lumiverse 9.9 Critical2026-05-26
CVE-2026-3515 Prefect 参数注入漏洞 — prefecthq/prefect--2026-05-24
CVE-2026-47114 IINA 参数注入漏洞 — iina 8.8 High2026-05-21
CVE-2026-8773 litemall 注入漏洞 — litemall 4.7 Medium2026-05-18
CVE-2026-45158 Deciso OPNsense 参数注入漏洞 — core 9.1 Critical2026-05-13
CVE-2026-44193 Deciso OPNsense 参数注入漏洞 — core 9.1 Critical2026-05-13
CVE-2026-42266 JupyterLab 参数注入漏洞 — jupyterlab 8.8 High2026-05-13
CVE-2026-25690 Fortinet FortiDeceptor 参数注入漏洞 — FortiDeceptor 4.0 Medium2026-05-12
CVE-2025-40948 Siemens多款产品 参数注入漏洞 — RUGGEDCOM ROX MX5000 6.8 Medium2026-05-12
CVE-2026-43893 exiftool-vendored 参数注入漏洞 — exiftool-vendored.js 8.2 High2026-05-11
CVE-2026-45181 Hex-Rays IDA Pro 参数注入漏洞 — IDA 6.5 Medium2026-05-09
CVE-2026-42601 ArchiveBox 参数注入漏洞 — ArchiveBox 9.8 -2026-05-09
CVE-2026-43941 Electerm 参数注入漏洞 — electerm 9.6 Critical2026-05-08
CVE-2026-42284 GitPython 参数注入漏洞 — GitPython 8.1 High2026-05-07
CVE-2026-40281 Gotenberg 参数注入漏洞 — gotenberg 10.0 Critical2026-05-06
CVE-2026-7865 Crestron Touchpanels 参数注入漏洞 — Touchpanels (x60/x70) 8.8 -2026-05-05
CVE-2026-7725 Prefect 注入漏洞 — prefect 6.3 Medium2026-05-04
CVE-2026-40938 Tekton Pipelines 参数注入漏洞 — pipeline 7.5 High2026-04-21
CVE-2026-6437 Amazon EFS CSI Driver 安全漏洞 — AWS EFS CSI Driver 6.5 Medium2026-04-17
CVE-2026-35153 Dell PowerProtect Data Domain(Dell PowerProtect DD) 安全漏洞 — PowerProtect Data Domain 6.7 Medium2026-04-17
CVE-2026-4145 Lenovo Software Fix 安全漏洞 — Software Fix 7.8 High2026-04-15
CVE-2026-39884 MCP Server Kubernetes 安全漏洞 — mcp-server-kubernetes 8.3 High2026-04-14
CVE-2026-35033 Jellyfin 安全漏洞 — jellyfin 7.5 -2026-04-14
CVE-2026-2449 upKeeper Instant Privilege Access 安全漏洞 — upKeeper Instant Privilege Access 9.8 -2026-04-14
CVE-2026-40113 PraisonAI 参数注入漏洞 — PraisonAI 8.4 High2026-04-09
CVE-2026-34769 Electron 安全漏洞 — electron 7.8 High2026-04-03
CVE-2026-35538 Roundcube Webmail 参数注入漏洞 — Webmail 3.1 Low2026-04-03

CWE-88(参数注入或修改) 是常见的弱点类别,本平台收录该类弱点关联的 161 条 CVE 漏洞。