CWE-621
AllowedVariable Extraction Error
Abstraction: Variant · Status: Incomplete
The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.
3 vulnerabilities reference this CWE, most recent first.
CVE-2018-6334 (GCVE-0-2018-6334)
Vulnerability from cvelistv5 – Published: 2018-12-31 20:00 – Updated: 2025-05-06 16:48- CWE-621 - Variable Extraction Error (CWE-621)
| URL | Tags |
|---|---|
| https://github.com/facebook/hhvm/commit/6937de554… | x_refsource_MISC |
| https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:01:48.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2018-6334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T16:40:47.018290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T16:48:40.461Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HHVM",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "3.25.2"
},
{
"status": "affected",
"version": "3.25.0"
},
{
"status": "affected",
"version": "3.24.6"
},
{
"status": "affected",
"version": "3.22.0"
},
{
"status": "affected",
"version": "3.21.10"
},
{
"lessThan": "3.21.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2018-03-26T00:00:00.000Z",
"datePublic": "2018-12-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-621",
"description": "Variable Extraction Error (CWE-621)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-31T19:57:01.000Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@fb.com",
"DATE_ASSIGNED": "2018-03-26",
"ID": "CVE-2018-6334",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HHVM",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "3.25.2"
},
{
"version_affected": "=\u003e",
"version_value": "3.25.0"
},
{
"version_affected": "!=\u003e",
"version_value": "3.24.6"
},
{
"version_affected": "=\u003e",
"version_value": "3.22.0"
},
{
"version_affected": "!=\u003e",
"version_value": "3.21.10"
},
{
"version_affected": "\u003c",
"version_value": "3.21.10"
}
]
}
}
]
},
"vendor_name": "Facebook"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Variable Extraction Error (CWE-621)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff",
"refsource": "MISC",
"url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff"
},
{
"name": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html",
"refsource": "MISC",
"url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2018-6334",
"datePublished": "2018-12-31T20:00:00.000Z",
"dateReserved": "2018-01-26T00:00:00.000Z",
"dateUpdated": "2025-05-06T16:48:40.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-V7MG-WG5H-PCX8
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).
{
"affected": [],
"aliases": [
"CVE-2018-6334"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-621"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-31T19:29:00Z",
"severity": "CRITICAL"
},
"details": "Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).",
"id": "GHSA-v7mg-wg5h-pcx8",
"modified": "2022-05-13T01:32:03Z",
"published": "2022-05-13T01:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6334"
},
{
"type": "WEB",
"url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff"
},
{
"type": "WEB",
"url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X962-W72P-MV7Q
Vulnerability from github – Published: 2022-05-17 05:07 – Updated: 2023-08-28 23:52import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpmyadmin/phpmyadmin"
},
"ranges": [
{
"events": [
{
"introduced": "4.0"
},
{
"fixed": "4.0.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-4729"
],
"database_specific": {
"cwe_ids": [
"CWE-621"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-28T23:52:58Z",
"nvd_published_at": "2013-07-04T14:33:00Z",
"severity": "MODERATE"
},
"details": "import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request.",
"id": "GHSA-x962-w72p-mv7q",
"modified": "2023-08-28T23:52:58Z",
"published": "2022-05-17T05:07:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4729"
},
{
"type": "WEB",
"url": "https://github.com/phpmyadmin/phpmyadmin/commit/012464268420e53a9cd81cbb4a43988d70393c36"
},
{
"type": "PACKAGE",
"url": "https://github.com/phpmyadmin/phpmyadmin"
},
{
"type": "WEB",
"url": "http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "phpMyAdmin Global variables scope injection vulnerability"
}
Mitigation
Strategy: Input Validation
Use allowlists of variable names that can be extracted.
Mitigation
Strategy: Refactoring
Consider refactoring your code to avoid extraction routines altogether.
Mitigation
In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.
No CAPEC attack patterns related to this CWE.