CWE-134
AllowedUse of Externally-Controlled Format String
Abstraction: Base · Status: Draft
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
501 vulnerabilities reference this CWE, most recent first.
GHSA-6V7M-RGWP-QCR4
Vulnerability from github – Published: 2024-03-12 15:32 – Updated: 2024-03-12 15:32A use of externally-controlled format string vulnerability [CWE-134] in Fortinet FortiManager version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer-BigData before 7.2.5 and Fortinet FortiPortal version 6.0 all versions and version 5.3 all versions allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments.
{
"affected": [],
"aliases": [
"CVE-2023-41842"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-12T15:15:45Z",
"severity": "MODERATE"
},
"details": "A use of externally-controlled format string vulnerability [CWE-134] in Fortinet FortiManager version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer-BigData before 7.2.5 and Fortinet FortiPortal version 6.0 all versions and version 5.3 all versions allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments.",
"id": "GHSA-6v7m-rgwp-qcr4",
"modified": "2024-03-12T15:32:21Z",
"published": "2024-03-12T15:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41842"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-304"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6XVC-57G8-CQ77
Vulnerability from github – Published: 2022-05-17 02:30 – Updated: 2022-05-17 02:30A vulnerability in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a format string vulnerability when processing a crafted DHCP packet for Zero Touch Provisioning. An attacker could exploit this vulnerability by sending a specially crafted DHCP packet to an affected device. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco ASR 920 Series Aggregation Services Routers that are running an affected release of Cisco IOS XE Software (3.13 through 3.18) and are listening on the DHCP server port. By default, the devices do not listen on the DHCP server port. Cisco Bug IDs: CSCuy56385.
{
"affected": [],
"aliases": [
"CVE-2017-3859"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-22T19:59:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a format string vulnerability when processing a crafted DHCP packet for Zero Touch Provisioning. An attacker could exploit this vulnerability by sending a specially crafted DHCP packet to an affected device. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco ASR 920 Series Aggregation Services Routers that are running an affected release of Cisco IOS XE Software (3.13 through 3.18) and are listening on the DHCP server port. By default, the devices do not listen on the DHCP server port. Cisco Bug IDs: CSCuy56385.",
"id": "GHSA-6xvc-57g8-cq77",
"modified": "2022-05-17T02:30:13Z",
"published": "2022-05-17T02:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3859"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97008"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038104"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-72H8-X8GH-6PW7
Vulnerability from github – Published: 2022-05-02 03:57 – Updated: 2022-05-02 03:57Multiple format string vulnerabilities in the tolog function in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 allow (1) remote attackers to execute arbitrary code via format string specifiers in a GET request to the HTTP server component when logging is enabled, and allow (2) remote authenticated users to execute arbitrary code via format string specifiers in a PWD command to the FTP server component.
{
"affected": [],
"aliases": [
"CVE-2009-4769"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-04-20T14:30:00Z",
"severity": "HIGH"
},
"details": "Multiple format string vulnerabilities in the tolog function in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 allow (1) remote attackers to execute arbitrary code via format string specifiers in a GET request to the HTTP server component when logging is enabled, and allow (2) remote authenticated users to execute arbitrary code via format string specifiers in a PWD command to the FTP server component.",
"id": "GHSA-72h8-x8gh-6pw7",
"modified": "2022-05-02T03:57:55Z",
"published": "2022-05-02T03:57:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4769"
},
{
"type": "WEB",
"url": "http://osvdb.org/60181"
},
{
"type": "WEB",
"url": "http://osvdb.org/60182"
},
{
"type": "WEB",
"url": "http://www.metasploit.com/redmine/projects/framework/repository/revisions/7569/entry/modules/exploits/windows/ftp/httpdx_tolog_format.rb"
},
{
"type": "WEB",
"url": "http://www.metasploit.com/redmine/projects/framework/repository/revisions/7569/entry/modules/exploits/windows/http/httpdx_tolog_format.rb"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/3312"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-72JW-4JCQ-XH9J
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c.
{
"affected": [],
"aliases": [
"CVE-2020-27853"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-27T18:15:00Z",
"severity": "CRITICAL"
},
"details": "Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c.",
"id": "GHSA-72jw-4jcq-xh9j",
"modified": "2022-05-24T17:32:37Z",
"published": "2022-05-24T17:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27853"
},
{
"type": "WEB",
"url": "https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689"
},
{
"type": "WEB",
"url": "http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7453-M98R-24J9
Vulnerability from github – Published: 2026-07-03 15:31 – Updated: 2026-07-03 15:31Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an use of externally-controlled format string vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-46465"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T14:16:30Z",
"severity": "MODERATE"
},
"details": "Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an use of externally-controlled format string vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and denial of service.",
"id": "GHSA-7453-m98r-24j9",
"modified": "2026-07-03T15:31:58Z",
"published": "2026-07-03T15:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46465"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000481268/dsa-2026-278-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-74W3-2R77-FW5H
Vulnerability from github – Published: 2022-04-03 00:00 – Updated: 2022-04-18 22:21A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "consoleme"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-27177"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-05T17:54:33Z",
"nvd_published_at": "2022-04-01T23:15:00Z",
"severity": "CRITICAL"
},
"details": "A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2",
"id": "GHSA-74w3-2r77-fw5h",
"modified": "2022-04-18T22:21:17Z",
"published": "2022-04-03T00:00:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27177"
},
{
"type": "WEB",
"url": "https://github.com/Netflix/consoleme/commit/2a3c84eee524d77c427b3329a8419cbbce9e1d16"
},
{
"type": "PACKAGE",
"url": "https://github.com/Netflix/ConsoleMe"
},
{
"type": "WEB",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2022-001.md"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/consoleme/PYSEC-2022-189.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Use of Externally-Controlled Format String in consoleme"
}
GHSA-76G8-VF43-PMGG
Vulnerability from github – Published: 2022-05-17 04:00 – Updated: 2022-05-17 04:00Format string vulnerability in the up.time client in Idera Uptime Infrastructure Monitor 6.0 and 7.2 allows remote attackers to cause a denial of service (application crash) via format string specifiers.
{
"affected": [],
"aliases": [
"CVE-2015-2894"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-12-31T05:59:00Z",
"severity": "MODERATE"
},
"details": "Format string vulnerability in the up.time client in Idera Uptime Infrastructure Monitor 6.0 and 7.2 allows remote attackers to cause a denial of service (application crash) via format string specifiers.",
"id": "GHSA-76g8-vf43-pmgg",
"modified": "2022-05-17T04:00:17Z",
"published": "2022-05-17T04:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2894"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/377260"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-76XJ-3V79-3JWJ
Vulnerability from github – Published: 2023-09-04 03:30 – Updated: 2023-09-04 03:30A vulnerability classified as critical has been found in TOTOLINK N200RE V5 9.3.5u.6437_B20230519. This affects the function Validity_check. The manipulation leads to format string. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-238635.
{
"affected": [],
"aliases": [
"CVE-2023-4746"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-04T01:15:07Z",
"severity": "HIGH"
},
"details": "A vulnerability classified as critical has been found in TOTOLINK N200RE V5 9.3.5u.6437_B20230519. This affects the function Validity_check. The manipulation leads to format string. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-238635.",
"id": "GHSA-76xj-3v79-3jwj",
"modified": "2023-09-04T03:30:17Z",
"published": "2023-09-04T03:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4746"
},
{
"type": "WEB",
"url": "https://gist.github.com/dmknght/8f3b6aa65e9d08f45b5236c6e9ab8d80"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.238635"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.238635"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7838-J28V-C2RP
Vulnerability from github – Published: 2022-12-19 15:30 – Updated: 2022-12-27 18:30A vulnerability was found in multimon-ng. It has been rated as critical. This issue affects the function add_ch of the file demod_flex.c. The manipulation of the argument ch leads to format string. Upgrading to version 1.2.0 is able to address this issue. The name of the patch is e5a51c508ef952e81a6da25b43034dd1ed023c07. It is recommended to upgrade the affected component. The identifier VDB-216269 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-36619"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-19T14:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability was found in multimon-ng. It has been rated as critical. This issue affects the function add_ch of the file demod_flex.c. The manipulation of the argument ch leads to format string. Upgrading to version 1.2.0 is able to address this issue. The name of the patch is e5a51c508ef952e81a6da25b43034dd1ed023c07. It is recommended to upgrade the affected component. The identifier VDB-216269 was assigned to this vulnerability.",
"id": "GHSA-7838-j28v-c2rp",
"modified": "2022-12-27T18:30:20Z",
"published": "2022-12-19T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36619"
},
{
"type": "WEB",
"url": "https://github.com/EliasOenal/multimon-ng/pull/160"
},
{
"type": "WEB",
"url": "https://github.com/EliasOenal/multimon-ng/commit/e5a51c508ef952e81a6da25b43034dd1ed023c07"
},
{
"type": "WEB",
"url": "https://github.com/EliasOenal/multimon-ng/releases/tag/1.2.0"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216269"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-78F6-722X-3325
Vulnerability from github – Published: 2022-05-14 03:35 – Updated: 2022-05-14 03:35Huawei VP9660 V500R002C10 has a uncontrolled format string vulnerability when the license module output the log information. An authenticated local attacker could exploit this vulnerability to cause a denial of service.
{
"affected": [],
"aliases": [
"CVE-2017-17132"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-05T19:29:00Z",
"severity": "MODERATE"
},
"details": "Huawei VP9660 V500R002C10 has a uncontrolled format string vulnerability when the license module output the log information. An authenticated local attacker could exploit this vulnerability to cause a denial of service.",
"id": "GHSA-78f6-722x-3325",
"modified": "2022-05-14T03:35:26Z",
"published": "2022-05-14T03:35:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17132"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171206-01-license-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that is not subject to this flaw.
Mitigation
Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Mitigation
Run compilers and linkers with high warning levels, since they may detect incorrect usage.
CAPEC-135: Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.
CAPEC-67: String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.