https://blog.qife122.com/tags/%E6%8E%88%E6%9D%83%E6%9C%BA%E5%88%B6/ Recent content in 授权机制 on 办公AI智能小助手 Hugo zh-cn qife Sun, 04 Jan 2026 01:55:12 +0800 https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E8%B0%83%E7%94%A8%E9%92%A9%E5%AD%90%E9%A1%BA%E5%BA%8F%E5%BC%82%E5%B8%B8%E5%AF%BC%E8%87%B4%E7%9A%84%E5%AE%89%E5%85%A8%E9%A3%8E%E9%99%A9%E8%A7%A3%E6%9E%90/ Sun, 04 Jan 2026 01:55:12 +0800 https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E8%B0%83%E7%94%A8%E9%92%A9%E5%AD%90%E9%A1%BA%E5%BA%8F%E5%BC%82%E5%B8%B8%E5%AF%BC%E8%87%B4%E7%9A%84%E5%AE%89%E5%85%A8%E9%A3%8E%E9%99%A9%E8%A7%A3%E6%9E%90/ <h1 id="安全漏洞技术分析cve-2025-48042">安全漏洞技术分析：CVE-2025-48042</h1> <h2 id="漏洞概述">漏洞概述</h2> <p>CVE-2025-48042是一个存在于ash-project的Ash框架中的<strong>授权绕过类漏洞</strong>，被归类为&quot;<strong>不正确的授权</strong>&quot;（CWE-863）。该漏洞影响版本为<strong>3.5.38及以下</strong>的所有Ash框架，已通过版本<strong>3.5.39</strong>修复。</p> https://blog.qife122.com/p/gmission-web-fax-%E6%8E%88%E6%9D%83%E7%BC%BA%E5%A4%B1%E6%BC%8F%E6%B4%9E%E8%AF%A6%E8%A7%A3cve-2025-15068%E4%B8%8E%E6%9D%83%E9%99%90%E6%BB%A5%E7%94%A8%E9%A3%8E%E9%99%A9/ Mon, 29 Dec 2025 16:16:00 +0800 https://blog.qife122.com/p/gmission-web-fax-%E6%8E%88%E6%9D%83%E7%BC%BA%E5%A4%B1%E6%BC%8F%E6%B4%9E%E8%AF%A6%E8%A7%A3cve-2025-15068%E4%B8%8E%E6%9D%83%E9%99%90%E6%BB%A5%E7%94%A8%E9%A3%8E%E9%99%A9/ <h1 id="cve-2025-15068-gmission-web-fax-中的-cwe-862-授权缺失漏洞">CVE-2025-15068: Gmission Web Fax 中的 CWE-862 授权缺失漏洞</h1> <p><strong>严重性：高</strong> <strong>类型：漏洞</strong></p> <p><strong>CVE：</strong> CVE-2025-15068</p> <p>Gmission Web Fax 中存在的“授权缺失”漏洞，允许攻击者通过篡改进行<strong>权限滥用</strong>和<strong>会话凭据伪造</strong>。</p> <p>此问题影响 Web Fax 的版本范围：从 3.0 版到 4.0 版之前。</p> https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E8%AF%AF%E7%94%A8%E5%AF%BC%E8%87%B4%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87/ Tue, 25 Nov 2025 10:38:40 +0800 https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E8%AF%AF%E7%94%A8%E5%AF%BC%E8%87%B4%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87/ <h1 id="ash-framework-filter-authorization-misapplies-impossible-bypassruntime-policies--cve-2025-48043--github-advisory-database">Ash Framework: Filter authorization misapplies impossible bypass/runtime policies · CVE-2025-48043 · GitHub Advisory Database</h1> <h2 id="漏洞概述">漏洞概述</h2> <p><strong>严重程度：高</strong><br> CVSS评分：8.6</p> <p><strong>受影响版本：</strong> &lt; 3.6.2<br> <strong>修复版本：</strong> 3.6.2</p> <h2 id="漏洞描述">漏洞描述</h2> <h3 id="摘要">摘要</h3> <p>在使用过滤器授权时，两种边缘情况可能导致策略编译器/授权器生成过于宽松的过滤器：</p> https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%A3%8E%E9%99%A9/ Mon, 24 Nov 2025 13:22:57 +0800 https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%A3%8E%E9%99%A9/ <h1 id="ash-framework过滤器授权错误应用不可绕过的绕过运行时策略">Ash Framework：过滤器授权错误应用不可绕过的绕过/运行时策略</h1> <h2 id="漏洞概述">漏洞概述</h2> <p><strong>CVE-2025-48043</strong> 是一个在Ash Framework中发现的高危安全漏洞，涉及过滤器授权机制中的策略错误应用问题。</p> https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%A3%8E%E9%99%A9/ Wed, 19 Nov 2025 02:37:56 +0800 https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%A3%8E%E9%99%A9/ <h1 id="ash-framework-filter-authorization-misapplies-impossible-bypassruntime-policies--cve-2025-48043">Ash Framework: Filter authorization misapplies impossible bypass/runtime policies · CVE-2025-48043</h1> <h2 id="摘要">摘要</h2> <p>当使用过滤器授权时，两个边缘案例可能导致策略编译器/授权器生成过于宽松的过滤器：</p> <ul> <li> <p>其条件在运行时永远无法通过的绕过策略被编译为 <code>OR(AND(condition, compiled_policies), NOT(condition))</code></p> https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%A3%8E%E9%99%A9/ Wed, 12 Nov 2025 08:59:02 +0800 https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E9%A3%8E%E9%99%A9/ <h1 id="ash框架过滤器授权漏洞分析">Ash框架过滤器授权漏洞分析</h1> <h2 id="漏洞概述">漏洞概述</h2> <p><strong>CVE-2025-48043</strong>是一个影响Ash框架的高严重性安全漏洞，涉及过滤器授权机制中的策略错误应用问题。</p> <h2 id="技术细节">技术细节</h2> <h3 id="漏洞成因">漏洞成因</h3> <p>该漏洞包含两个边缘案例：</p> <ol> <li> <p><strong>绕过策略条件编译错误</strong></p> https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E8%AF%AF%E7%94%A8%E5%AF%BC%E8%87%B4%E6%95%B0%E6%8D%AE%E8%B6%8A%E6%9D%83%E8%AE%BF%E9%97%AE/ Mon, 10 Nov 2025 20:45:12 +0800 https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E8%AF%AF%E7%94%A8%E5%AF%BC%E8%87%B4%E6%95%B0%E6%8D%AE%E8%B6%8A%E6%9D%83%E8%AE%BF%E9%97%AE/ <h1 id="ash框架过滤器授权漏洞分析">Ash框架过滤器授权漏洞分析</h1> <h2 id="漏洞概述">漏洞概述</h2> <p>Ash框架在过滤器授权实现中存在两个边界情况，可能导致策略编译器/授权器生成过于宽松的过滤器：</p> <ol> <li> <p><strong>绕过策略问题</strong>：当使用在运行时永远无法通过的绕过策略条件时，策略被编译为<code>OR(AND(condition, compiled_policies), NOT(condition))</code>。如果条件在运行时永远不为真，<code>NOT(condition)</code>分支将评估为真值，导致整个表达式变得宽松。</p> https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E6%95%B0%E6%8D%AE%E8%B6%8A%E6%9D%83%E8%AE%BF%E9%97%AE/ Mon, 03 Nov 2025 01:25:39 +0800 https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E6%95%B0%E6%8D%AE%E8%B6%8A%E6%9D%83%E8%AE%BF%E9%97%AE/ <h1 id="ash-framework-filter-authorization-misapplies-impossible-bypassruntime-policies--cve-2025-48043--github-advisory-database">Ash Framework: Filter authorization misapplies impossible bypass/runtime policies · CVE-2025-48043 · GitHub Advisory Database</h1> <h2 id="摘要">摘要</h2> <p><strong>高严重性</strong> · GitHub已审核<br> <strong>发布日期</strong>：2025年10月10日 · <strong>更新日期</strong>：2025年10月13日</p> <p><strong>受影响包</strong>：erlang ash (Erlang)<br> <strong>受影响版本</strong>：&lt; 3.6.2<br> <strong>修复版本</strong>：3.6.2</p> https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87/ Sat, 01 Nov 2025 12:38:48 +0800 https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E8%BF%87%E6%BB%A4%E5%99%A8%E7%AD%96%E7%95%A5%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87/ <h1 id="ash框架过滤器授权漏洞分析">Ash框架过滤器授权漏洞分析</h1> <h2 id="漏洞概述">漏洞概述</h2> <p>Ash框架在过滤器授权机制中存在两个边界情况，可能导致策略编译器/授权器生成过于宽松的过滤器：</p> <ol> <li> <p><strong>绕过策略问题</strong>：当绕过策略的条件在运行时永远无法通过时，策略被编译为<code>OR(AND(condition, compiled_policies), NOT(condition))</code>。如果条件永远为假，<code>NOT(condition)</code>分支将评估为真值，整个表达式变得宽松。</p> https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E6%9C%AA%E6%8E%88%E6%9D%83%E6%89%A7%E8%A1%8Cbefore_transaction%E9%92%A9%E5%AD%90%E7%9A%84%E9%A3%8E%E9%99%A9/ Fri, 31 Oct 2025 00:07:06 +0800 https://blog.qife122.com/p/ash%E6%A1%86%E6%9E%B6%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E6%9C%AA%E6%8E%88%E6%9D%83%E6%89%A7%E8%A1%8Cbefore_transaction%E9%92%A9%E5%AD%90%E7%9A%84%E9%A3%8E%E9%99%A9/ <h1 id="cve-2025-48042ash框架授权绕过漏洞分析">CVE-2025-48042：Ash框架授权绕过漏洞分析</h1> <h2 id="漏洞概述">漏洞概述</h2> <p><strong>CVE ID</strong>: CVE-2025-48042<br> <strong>GHSA ID</strong>: GHSA-jj4j-x5ww-cwh9<br> <strong>严重程度</strong>: 高危（CVSS评分7.1）<br> <strong>受影响版本</strong>: Ash框架 ≤ 3.5.38<br> <strong>修复版本</strong>: Ash框架 3.5.39</p> <h2 id="技术细节">技术细节</h2> <h3 id="漏洞描述">漏洞描述</h3> <p>在某些包含<code>before_transaction</code>钩子但不包含<code>after_transaction</code>钩子的批量操作调用中，当作为批量操作调用时，系统会在检查授权和返回禁止错误之前调用<code>before_transaction</code>钩子。</p>