CWE-134
AllowedUse of Externally-Controlled Format String
Abstraction: Base · Status: Draft
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
500 vulnerabilities reference this CWE, most recent first.
GHSA-3265-7C8C-JH75
Vulnerability from github – Published: 2022-05-03 03:12 – Updated: 2022-05-03 03:12Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2004-0179"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2004-06-01T04:00:00Z",
"severity": "MODERATE"
},
"details": "Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.",
"id": "GHSA-3265-7c8c-jh75",
"modified": "2022-05-03T03:12:58Z",
"published": "2022-05-03T03:12:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2004-0179"
},
{
"type": "WEB",
"url": "https://bugzilla.fedora.us/show_bug.cgi?id=1552"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1065"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10913"
},
{
"type": "WEB",
"url": "http://lists.suse.com/archive/suse-security-announce/2004-Apr/0002.html"
},
{
"type": "WEB",
"url": "http://lists.suse.com/archive/suse-security-announce/2004-Apr/0003.html"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=108213873203477\u0026w=2"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=108214147022626\u0026w=2"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/11363"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200405-01.xml"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200405-04.xml"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2004/dsa-487"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2004:032"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/5365"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2004-157.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2004-158.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2004-159.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2004-160.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/10136"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-32V4-2939-6235
Vulnerability from github – Published: 2022-05-02 00:03 – Updated: 2022-05-02 00:03Format string vulnerability in Ipswitch WS_FTP Home 2007.0.0.2 and WS_FTP Professional 2007.1.0.0 allows remote FTP servers to cause a denial of service (application crash) or possibly execute arbitrary code via format string specifiers in a connection greeting (response).
{
"affected": [],
"aliases": [
"CVE-2008-3734"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-08-20T16:41:00Z",
"severity": "HIGH"
},
"details": "Format string vulnerability in Ipswitch WS_FTP Home 2007.0.0.2 and WS_FTP Professional 2007.1.0.0 allows remote FTP servers to cause a denial of service (application crash) or possibly execute arbitrary code via format string specifiers in a connection greeting (response).",
"id": "GHSA-32v4-2939-6235",
"modified": "2022-05-02T00:03:02Z",
"published": "2022-05-02T00:03:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3734"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44512"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/6257"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31504"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/4173"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30720"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1020713"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1020714"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-32V7-GHPR-C8HG
Vulnerability from github – Published: 2021-08-25 20:58 – Updated: 2023-06-13 18:30ncurses exposes functions from the ncurses library which: * Pass buffers without length to C functions that may write an arbitrary amount of data, leading to a buffer overflow. (instr, mvwinstr, etc) * Passes rust &str to strings expecting C format arguments, allowing hostile input to execute a format string attack, which trivially allows writing arbitrary data to stack memory (functions in the printw family).
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "ncurses"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.101.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-15547"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-18T17:45:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "ncurses exposes functions from the ncurses library which:\n* Pass buffers without length to C functions that may write an arbitrary amount of data, leading to a buffer overflow. (instr, mvwinstr, etc)\n* Passes rust \u0026str to strings expecting C format arguments, allowing hostile input to execute a format string attack, which trivially allows writing arbitrary data to stack memory (functions in the printw family).\n",
"id": "GHSA-32v7-ghpr-c8hg",
"modified": "2023-06-13T18:30:35Z",
"published": "2021-08-25T20:58:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15547"
},
{
"type": "WEB",
"url": "https://github.com/RustSec/advisory-db/issues/106"
},
{
"type": "WEB",
"url": "https://github.com/jeaye/ncurses-rs/issues/172"
},
{
"type": "PACKAGE",
"url": "https://github.com/jeaye/ncurses-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2019-0006.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mishandling of format strings in ncurses"
}
GHSA-342C-W38F-J4WC
Vulnerability from github – Published: 2023-01-06 18:30 – Updated: 2023-01-12 15:30A vulnerability was found in intgr uqm-wasm. It has been classified as critical. This affects the function log_displayBox in the library sc2/src/libs/log/msgbox_macosx.m. The manipulation leads to format string. The name of the patch is 1d5cbf3350a02c423ad6bef6dfd5300d38aa828f. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217563.
{
"affected": [],
"aliases": [
"CVE-2020-36643"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-06T17:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability was found in intgr uqm-wasm. It has been classified as critical. This affects the function log_displayBox in the library sc2/src/libs/log/msgbox_macosx.m. The manipulation leads to format string. The name of the patch is 1d5cbf3350a02c423ad6bef6dfd5300d38aa828f. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217563.",
"id": "GHSA-342c-w38f-j4wc",
"modified": "2023-01-12T15:30:25Z",
"published": "2023-01-06T18:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36643"
},
{
"type": "WEB",
"url": "https://github.com/intgr/uqm-wasm/commit/1d5cbf3350a02c423ad6bef6dfd5300d38aa828f"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217563"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217563"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-34RR-QP2J-P4Q7
Vulnerability from github – Published: 2026-03-24 09:30 – Updated: 2026-03-24 09:30An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.
{
"affected": [],
"aliases": [
"CVE-2026-3509"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T08:16:01Z",
"severity": "HIGH"
},
"details": "An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial\u2011of\u2011service (DoS) condition.",
"id": "GHSA-34rr-qp2j-p4q7",
"modified": "2026-03-24T09:30:31Z",
"published": "2026-03-24T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3509"
},
{
"type": "WEB",
"url": "https://certvde.com/de/advisories/VDE-2026-018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3655-XQ3Q-XQ2P
Vulnerability from github – Published: 2022-05-01 17:41 – Updated: 2025-04-09 03:35Format string vulnerability in Apple iPhoto 6.0.5 (316), and other versions before 6.0.6, allows remote user-assisted attackers to execute arbitrary code via a crafted photocast with format string specifiers in the title of an RSS iPhoto feed.
{
"affected": [],
"aliases": [
"CVE-2007-0051"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-01-04T18:28:00Z",
"severity": "MODERATE"
},
"details": "Format string vulnerability in Apple iPhoto 6.0.5 (316), and other versions before 6.0.6, allows remote user-assisted attackers to execute arbitrary code via a crafted photocast with format string specifiers in the title of an RSS iPhoto feed.",
"id": "GHSA-3655-xq3q-xq2p",
"modified": "2025-04-09T03:35:44Z",
"published": "2022-05-01T17:41:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-0051"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31281"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/3080"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0100.html"
},
{
"type": "WEB",
"url": "http://docs.info.apple.com/article.html?artnum=305215"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2007/Mar//msg00003.html"
},
{
"type": "WEB",
"url": "http://osvdb.org/31165"
},
{
"type": "WEB",
"url": "http://projects.info-pull.com/moab/MOAB-04-01-2007.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/23615"
},
{
"type": "WEB",
"url": "http://www.digitalmunition.com/DMA%5B2007-0104a%5D.txt"
},
{
"type": "WEB",
"url": "http://www.digitalmunition.com/DMA[2007-0104a].txt"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/455968/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/21871"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/0057"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-36G6-RVXX-R5JM
Vulnerability from github – Published: 2022-09-10 00:00 – Updated: 2022-09-16 00:00The Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32) when in superuser mode is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information.
{
"affected": [],
"aliases": [
"CVE-2022-26392"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-09T15:15:00Z",
"severity": "MODERATE"
},
"details": "The Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32) when in superuser mode is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information.",
"id": "GHSA-36g6-rvxx-r5jm",
"modified": "2022-09-16T00:00:38Z",
"published": "2022-09-10T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26392"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-251-01"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsma-22-xxx-xx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3725-X3X8-R7JQ
Vulnerability from github – Published: 2022-05-01 18:44 – Updated: 2022-05-01 18:44The Platform Service Process (asampsp) in Fan-Out Driver Platform Services for Novell Identity Manager (IDM) 3.5.1 allows remote attackers to cause a denial of service (daemon crash) via unspecified network traffic that triggers a syslog message containing invalid format string specifiers, as demonstrated by a Nessus scan.
{
"affected": [],
"aliases": [
"CVE-2007-6625"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-01-04T00:46:00Z",
"severity": "MODERATE"
},
"details": "The Platform Service Process (asampsp) in Fan-Out Driver Platform Services for Novell Identity Manager (IDM) 3.5.1 allows remote attackers to cause a denial of service (daemon crash) via unspecified network traffic that triggers a syslog message containing invalid format string specifiers, as demonstrated by a Nessus scan.",
"id": "GHSA-3725-x3x8-r7jq",
"modified": "2022-05-01T18:44:55Z",
"published": "2022-05-01T18:44:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6625"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39206"
},
{
"type": "WEB",
"url": "http://osvdb.org/40104"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/28237"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1019144"
},
{
"type": "WEB",
"url": "http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5007560.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/27028"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/4311"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-373J-X448-854G
Vulnerability from github – Published: 2025-01-09 09:31 – Updated: 2025-01-09 15:31A post-authentication format string vulnerability in SonicOS management allows a remote attacker to crash a firewall and potentially leads to code execution.
{
"affected": [],
"aliases": [
"CVE-2024-12805"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T08:15:26Z",
"severity": "CRITICAL"
},
"details": "A post-authentication format string vulnerability in SonicOS management allows a remote attacker to crash a firewall and potentially leads to code execution.",
"id": "GHSA-373j-x448-854g",
"modified": "2025-01-09T15:31:51Z",
"published": "2025-01-09T09:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12805"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3795-4M6R-47RJ
Vulnerability from github – Published: 2022-05-17 01:30 – Updated: 2022-05-17 01:30Format string vulnerability in the client in Tftpd32 before 4.50 allows remote servers to cause a denial of service (crash) or possibly execute arbitrary code via format string specifiers in the Remote File field.
{
"affected": [],
"aliases": [
"CVE-2013-6809"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-12-13T18:55:00Z",
"severity": "MODERATE"
},
"details": "Format string vulnerability in the client in Tftpd32 before 4.50 allows remote servers to cause a denial of service (crash) or possibly execute arbitrary code via format string specifiers in the Remote File field.",
"id": "GHSA-3795-4m6r-47rj",
"modified": "2022-05-17T01:30:04Z",
"published": "2022-05-17T01:30:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6809"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89455"
},
{
"type": "WEB",
"url": "http://osvdb.org/100511"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/124275/Tftpd32-Client-Side-Format-String.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2013/Dec/15"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Choose a language that is not subject to this flaw.
Mitigation
Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Mitigation
Run compilers and linkers with high warning levels, since they may detect incorrect usage.
CAPEC-135: Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.
CAPEC-67: String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.