目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-90 LDAP查询中使用的特殊元素转义处理不恰当(LDAP注入) 类漏洞列表 46

CWE-90 LDAP查询中使用的特殊元素转义处理不恰当(LDAP注入) 类弱点 46 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-90 指 LDAP 注入漏洞,属于输入验证缺陷。攻击者通过构造包含特殊字符的恶意输入,篡改后端 LDAP 查询逻辑,从而绕过身份验证或窃取敏感数据。开发者应严格对用户输入进行白名单校验,避免直接拼接查询语句,并使用参数化查询或转义特殊字符,确保输入被视作数据而非可执行代码,从而有效防御此类攻击。

MITRE CWE 官方描述
CWE:CWE-90 LDAP 查询中特殊元素的不当中和('LDAP Injection') 英文:产品使用来自上游组件的外部可影响输入来构造 LDAP 查询的全部或部分内容,但在将查询发送给下游组件时,未对可能修改预期 LDAP 查询的特殊元素进行中和,或中和不当。
常见影响 (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands, Read Application Data, Modify Application Data
An attacker could include input that changes the LDAP query which allows unintended commands or code to be executed, allows sensitive data to be read or modified or causes other unintended behavior.
缓解措施 (1)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
代码示例 (1)
The code below constructs an LDAP query using user input address data:
context = new InitialDirContext(env); String searchFilter = "StreetAddress=" + address; NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-46745 Apache Airflow 安全漏洞 — Apache Airflow FAB provider--2026-05-25
CVE-2026-44930 Apache CXF 安全漏洞 — Apache CXF--2026-05-22
CVE-2026-44063 Netatalk 注入漏洞 — Netatalk 4.2 Medium2026-05-21
CVE-2026-41919 Apache OFBiz 注入漏洞 — Apache OFBiz--2026-05-19
CVE-2026-44671 ZITADEL 注入漏洞 — zitadel 7.5 High2026-05-14
CVE-2026-44304 lemur 注入漏洞 — lemur 8.1 High2026-05-12
CVE-2026-40606 mitmproxy 注入漏洞 — mitmproxy 4.8 Medium2026-04-21
CVE-2026-40459 pac4j 安全漏洞 — PAC4J 8.1AIHighAI2026-04-17
CVE-2026-40193 Maddy Mail Server 安全漏洞 — maddy 8.2 High2026-04-15
CVE-2026-0636 Bouncy Castle Java 安全漏洞 — BC-JAVA 9.8 -2026-04-15
CVE-2026-39962 MISP 注入漏洞 — MISP 8.2AIHighAI2026-04-09
CVE-2026-34578 Deciso OPNsense 安全漏洞 — core 8.2 High2026-04-09
CVE-2026-29138 SEPPmail Secure Email Gateway 安全漏洞 — Secure Email Gateway 4.3AIMediumAI2026-04-02
CVE-2026-29131 SEPPmail Secure Email Gateway 安全漏洞 — Secure Email Gateway 6.5AIMediumAI2026-04-02
CVE-2026-27860 Open-Xchange OX Dovecot Pro 安全漏洞 — OX Dovecot Pro 3.7 Low2026-03-27
CVE-2026-33751 n8n 注入漏洞 — n8n 8.2 -2026-03-25
CVE-2026-33289 SuiteCRM 注入漏洞 — SuiteCRM 8.8 High2026-03-19
CVE-2026-31828 Parse Server 注入漏洞 — parse-server 8.8AIHighAI2026-03-10
CVE-2026-25560 WeKan 注入漏洞 — WeKan 7.5AIHighAI2026-02-07
CVE-2026-1498 WatchGuard Fireware OS 安全漏洞 — Fireware OS 7.5AIHighAI2026-01-30
CVE-2026-24130 Moonraker 安全漏洞 — moonraker 7.5 -2026-01-22
CVE-2026-21880 Kanboard 安全漏洞 — kanboard 5.3 Medium2026-01-08
CVE-2025-35431 CISA Thorium 安全漏洞 — Thorium 5.4 Medium2025-09-17
CVE-2025-48208 Apache HertzBeat 注入漏洞 — Apache HertzBeat (incubating) 8.8AIHighAI2025-09-09
CVE-2025-52575 EspoCRM 注入漏洞 — espocrm 6.5 Medium2025-07-21
CVE-2025-4573 Mattermost 安全漏洞 — Mattermost 4.1 Medium2025-06-11
CVE-2025-27686 Dell Unisphere和Dell PowerMax 注入漏洞 — Unisphere for PowerMax 2.7 Low2025-04-07
CVE-2025-27631 Hitachi Energy TRMTracker 注入漏洞 — TRMTracker 6.5 Medium2025-03-25
CVE-2024-56841 Siemens Mendix 注入漏洞 — Mendix LDAP 7.4 High2025-01-14
CVE-2024-27310 Zoho ManageEngine ADSelfService Plus 安全漏洞 — ADSelfService Plus 5.3 Medium2024-05-27

CWE-90(LDAP查询中使用的特殊元素转义处理不恰当(LDAP注入)) 是常见的弱点类别,本平台收录该类弱点关联的 46 条 CVE 漏洞。