CWE-67 5 個 CVE MITRE 定義 ↗

CWE-67:Improper Handling of Windows Device Names

概覽

CWE-67(Improper Handling of Windows Device Names)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

背景詳情

來自 CWE 目錄的擴展上下文(由 MITRE XHTML 渲染)。

Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
operating_system Windows Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-27199 2026-02-21 Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previou…
CVE-2026-21860 2026-01-08 Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spa…
CVE-2025-66221 2025-11-28 Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device nam…
CVE-2024-51745 2024-11-05 Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so …
CVE-2024-35197 2024-05-23 gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary …

曾用名

  • Windows MS-DOS Device Names (2008-04-11)
  • Failure to Handle Windows Device Names (2009-03-10)

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-10-14 CWE Content Team 1.0.1 updated Description
2008-11-24 CWE Content Team 1.1 updated Relationships, Taxonomy_Mappings
2009-03-10 CWE Content Team 1.3 updated Description, Name
2009-10-29 CWE Content Team 1.6 updated Background_Details, Other_Notes
2010-09-27 CWE Content Team 1.10 updated Description
2011-03-29 CWE Content Team 1.12 updated Description
2011-06-01 CWE Content Team 1.13 updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-09-13 CWE Content Team 2.1 updated Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated Observed_Examples, References, Relationships, Taxonomy_Mappings
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2017-11-08 CWE Content Team 3.0 updated Affected_Resources, Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings
2018-03-27 CWE Content Team 3.1 updated References
2019-01-03 CWE Content Team 3.2 updated Relationships, Taxonomy_Mappings
2020-02-24 CWE Content Team 4.0 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-09-09 CWE Content Team 4.18 updated Functional_Areas
cvelogic Threat Intelligence