Common Weakness Enumeration

CWE-134

Allowed

Use of Externally-Controlled Format String

Abstraction: Base · Status: Draft

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

501 vulnerabilities reference this CWE, most recent first.

GHSA-25J9-9WXP-HPP7

Vulnerability from github – Published: 2022-04-29 02:58 – Updated: 2025-04-03 04:01
VLAI
Details

Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 through 2.2.1 and 3.x through 3.0.3, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2004-0777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2004-10-20T04:00:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 through 2.2.1 and 3.x through 3.0.3, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code.",
  "id": "GHSA-25j9-9wxp-hpp7",
  "modified": "2025-04-03T04:01:29Z",
  "published": "2022-04-29T02:58:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2004-0777"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17034"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200408-19.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/10976"
    },
    {
      "type": "WEB",
      "url": "http://www.trustix.net/errata/2004/0043"
    },
    {
      "type": "WEB",
      "url": "http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=131"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-273H-28GX-8F5J

Vulnerability from github – Published: 2023-12-19 00:30 – Updated: 2023-12-19 00:30
VLAI
Details

A format string issue in the Controller 6000's optional diagnostic web interface can be used to write/read from memory, and in some instances crash the Controller 6000 leading to a Denial of Service.

This issue affects: Gallagher Controller 6000 8.60 prior to vCR8.60.231116a (distributed in 8.60.2550 (MR7)), all versions of 8.50 and prior.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24590"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-18T22:15:08Z",
    "severity": "HIGH"
  },
  "details": "\n\n\nA format string issue in the Controller 6000\u0027s optional diagnostic web interface can be used to write/read from memory, and in some instances crash the Controller 6000 leading to a Denial of Service.\n\nThis issue affects: Gallagher Controller 6000 8.60 prior to vCR8.60.231116a (distributed in 8.60.2550 (MR7)), all versions of 8.50 and prior.\n\n\n\n",
  "id": "GHSA-273h-28gx-8f5j",
  "modified": "2023-12-19T00:30:18Z",
  "published": "2023-12-19T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24590"
    },
    {
      "type": "WEB",
      "url": "https://security.gallagher.com/Security-Advisories/CVE-2023-24590"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-29J9-CCP8-QCCG

Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2022-10-27 19:00
VLAI
Details

Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted HTTP request can lead to memory corruption, information disclosure and denial of service. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability arises from format string injection via the default_key_id and key HTTP parameters, as used within the /action/wirelessConnect handler.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted HTTP request can lead to memory corruption, information disclosure and denial of service. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability arises from format string injection via the `default_key_id` and `key` HTTP parameters, as used within the `/action/wirelessConnect` handler.",
  "id": "GHSA-29j9-ccp8-qccg",
  "modified": "2022-10-27T19:00:35Z",
  "published": "2022-10-25T19:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35886"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1585"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2CQ5-593X-R5J7

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the org.apache.jsp.u.jsp.tools.exec_jsp servlet, which listens on TCP port 8081 by default. When parsing the command parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5193.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-16602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-23T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the org.apache.jsp.u.jsp.tools.exec_jsp servlet, which listens on TCP port 8081 by default. When parsing the command parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of Administrator. Was ZDI-CAN-5193.",
  "id": "GHSA-2cq5-593x-r5j7",
  "modified": "2022-05-13T01:37:23Z",
  "published": "2022-05-13T01:37:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16602"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-17-967"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GH9-F6JF-23HQ

Vulnerability from github – Published: 2024-05-03 09:30 – Updated: 2024-05-03 09:30
VLAI
Details

Use of Externally-Controlled Format String vulnerability in Merge DICOM Toolkit C/C++ on Windows.

When MC_Open_Association() function is used to open DICOM Association and gets DICOM Application Context Name with illegal characters, it might result in an unhandled exception.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23914"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T09:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Use of Externally-Controlled Format String vulnerability in Merge DICOM Toolkit C/C++ on Windows.\n\nWhen MC_Open_Association() function is used to open DICOM Association and gets DICOM Application Context Name with illegal characters, it might result in an unhandled exception.",
  "id": "GHSA-2gh9-f6jf-23hq",
  "modified": "2024-05-03T09:30:52Z",
  "published": "2024-05-03T09:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23914"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-23914"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GXR-WCWW-QXM9

Vulnerability from github – Published: 2022-05-02 03:39 – Updated: 2022-05-02 03:39
VLAI
Details

Format string vulnerability in the CNS_AddTxt function in logs.dll in 2K Games Vietcong 2 1.10 and earlier might allow remote attackers to execute arbitrary code via format string specifiers in the nickname.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-2916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-08-21T11:30:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the CNS_AddTxt function in logs.dll in 2K Games Vietcong 2 1.10 and earlier might allow remote attackers to execute arbitrary code via format string specifiers in the nickname.",
  "id": "GHSA-2gxr-wcww-qxm9",
  "modified": "2022-05-02T03:39:57Z",
  "published": "2022-05-02T03:39:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2916"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52422"
    },
    {
      "type": "WEB",
      "url": "http://aluigi.altervista.org/adv/vietcong2fs-adv.txt"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/57002"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/36301"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2J6V-XPF3-XVRV

Vulnerability from github – Published: 2022-03-01 18:58 – Updated: 2022-03-10 15:59
VLAI
Summary
Use of Externally-Controlled Format String in wire-avs
Details

Impact

A remote format string vulnerability allowed an attacker to cause a denial of service or possibly execute arbitrary code.

Patches

  • The issue has been fixed in wire-avs 7.1.12 and is already included on all Wire products (currently used version is 8.0.x)

Workarounds

  • No workaround known

References

  • Fixed in commit https://github.com/wireapp/wire-avs/commit/40d373ede795443ae6f2f756e9fb1f4f4ae90bbe

For more information

If you have any questions or comments about this advisory feel free to email us at vulnerability-report@wire.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.wire:avs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-01T18:58:23Z",
    "nvd_published_at": "2022-03-01T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA remote format string vulnerability allowed an attacker to cause a denial of service or possibly execute arbitrary code.\n\n### Patches\n* The issue has been fixed in wire-avs 7.1.12 and is already included on all Wire products (currently used version is 8.0.x)\n\n### Workarounds\n* No workaround known\n\n### References\n* Fixed in commit https://github.com/wireapp/wire-avs/commit/40d373ede795443ae6f2f756e9fb1f4f4ae90bbe\n\n### For more information\n\nIf you have any questions or comments about this advisory feel free to email us at [vulnerability-report@wire.com](mailto:vulnerability-report@wire.com)\n",
  "id": "GHSA-2j6v-xpf3-xvrv",
  "modified": "2022-03-10T15:59:41Z",
  "published": "2022-03-01T18:58:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wireapp/wire-avs/security/advisories/GHSA-2j6v-xpf3-xvrv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41193"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wireapp/wire-avs/commit/40d373ede795443ae6f2f756e9fb1f4f4ae90bbe"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wireapp/wire-avs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Externally-Controlled Format String in wire-avs"
}

GHSA-2RX6-8WW2-27G3

Vulnerability from github – Published: 2022-05-01 06:42 – Updated: 2022-05-01 06:42
VLAI
Details

Format string vulnerability in a logging function as used by various SFTP servers, including (1) AttachmateWRQ Reflection for Secure IT UNIX Server before 6.0.0.9, (2) Reflection for Secure IT Windows Server before 6.0 build 38, (3) F-Secure SSH Server for Windows before 5.3 build 35, (4) F-Secure SSH Server for UNIX 3.0 through 5.0.8, (5) SSH Tectia Server 4.3.6 and earlier and 4.4.0, and (6) SSH Shell Server 3.2.9 and earlier, allows remote authenticated users to execute arbitrary commands via unspecified vectors, involving crafted filenames and the stat command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-0705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-02-15T11:06:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in a logging function as used by various SFTP servers, including (1) AttachmateWRQ Reflection for Secure IT UNIX Server before 6.0.0.9, (2) Reflection for Secure IT Windows Server before 6.0 build 38, (3) F-Secure SSH Server for Windows before 5.3 build 35, (4) F-Secure SSH Server for UNIX 3.0 through 5.0.8, (5) SSH Tectia Server 4.3.6 and earlier and 4.4.0, and (6) SSH Shell Server 3.2.9 and earlier, allows remote authenticated users to execute arbitrary commands via unspecified vectors, involving crafted filenames and the stat command.",
  "id": "GHSA-2rx6-8ww2-27g3",
  "modified": "2022-05-01T06:42:02Z",
  "published": "2022-05-01T06:42:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-0705"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24651"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=120654385125315\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/18828"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/18843"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/24516"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29552"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200703-13.xml"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1015619"
    },
    {
      "type": "WEB",
      "url": "http://support.wrq.com/techdocs/1882.html"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/419241"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/16625"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/16640"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/0554"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/0555"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/1008/references"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2V6C-8783-RMXX

Vulnerability from github – Published: 2022-05-01 18:31 – Updated: 2022-05-01 18:31
VLAI
Details

Format string vulnerability in the SMBDirList function in dirlist.c in SmbFTPD 0.96 allows remote attackers to execute arbitrary code via format string specifiers in a directory name.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-10-03T14:17:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the SMBDirList function in dirlist.c in SmbFTPD 0.96 allows remote attackers to execute arbitrary code via format string specifiers in a directory name.",
  "id": "GHSA-2v6c-8783-rmxx",
  "modified": "2022-05-01T18:31:01Z",
  "published": "2022-05-01T18:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5184"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36893"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/4478"
    },
    {
      "type": "WEB",
      "url": "http://debork.se/poc/001_smbftpd.c"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/41385"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27014"
    },
    {
      "type": "WEB",
      "url": "http://sourceforge.net/project/shownotes.php?release_id=543077"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/481220/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/25871"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/3311"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2XWC-FF9J-7R5H

Vulnerability from github – Published: 2022-05-02 04:01 – Updated: 2025-04-12 12:32
VLAI
Details

Format string vulnerability in War FTP Daemon (warftpd) 1.82 RC 12 allows remote authenticated users to cause a denial of service (crash) via format string specifiers in a LIST command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-5141"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-04-01T03:24:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in War FTP Daemon (warftpd) 1.82 RC 12 allows remote authenticated users to cause a denial of service (crash) via format string specifiers in a LIST command.",
  "id": "GHSA-2xwc-ff9j-7r5h",
  "modified": "2025-04-12T12:32:01Z",
  "published": "2022-05-02T04:01:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-5141"
    },
    {
      "type": "WEB",
      "url": "https://www.corelan.be/index.php/forum/security-advisories-archive-2009/corelan-09001-warftpd-1-82-rc12-dos"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2009-09/0105.html"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/9622"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/62599"
    },
    {
      "type": "WEB",
      "url": "http://www.warftp.org/index.php?menu=338\u0026cmd=show_article\u0026article_id=1003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Requirements

Choose a language that is not subject to this flaw.

Mitigation
Implementation

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Mitigation
Build and Compilation

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CAPEC-135: Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

CAPEC-67: String Format Overflow in syslog()

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.