CWE-58: Path Equivalence: Windows 8.3 Filename
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short "8.3" filename.
扩展描述
On later Windows operating systems, a file can have a "long name" and a short name that is compatible with older Windows file systems, with up to 8 characters in the filename and 3 characters for the extension. These "8.3" filenames, therefore, act as an alternate name for files with long names, so they are useful pathname equivalence manipulations.
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Files or Directories Modify Files or Directories
潜在缓解措施
阶段: System Configuration
描述: Disable Windows from supporting 8.3 filenames by editing the Windows registry. Preventing 8.3 filenames will not remove previously generated 8.3 filenames.
观察示例
参考: CVE-1999-0012
Multiple web servers allow restriction bypass using 8.3 names instead of long names
参考: CVE-2001-0795
Source code disclosure using 8.3 file name.
参考: CVE-2005-0471
Multi-Factor Vulnerability. Product generates temporary filenames using long filenames, which become predictable in 8.3 format.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
操作系统
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Windows 8.3 Filename | - |
| Software Fault Patterns | SFP16 | Path Traversal | - |