Common Weakness Enumeration

CWE-621

Allowed

Variable Extraction Error

Abstraction: Variant · Status: Incomplete

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

3 vulnerabilities reference this CWE, most recent first.

CVE-2018-6334 (GCVE-0-2018-6334)

Vulnerability from cvelistv5 – Published: 2018-12-31 20:00 – Updated: 2025-05-06 16:48
VLAI
Summary
Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-621 - Variable Extraction Error (CWE-621)
Assigner
References
Impacted products
Vendor Product Version
Facebook HHVM Affected: 3.25.2
Affected: 3.25.0
Affected: 3.24.6
Affected: 3.22.0
Affected: 3.21.10
Affected: unspecified , < 3.21.10 (custom)
Create a notification for this product.
Date Public
2018-12-31 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:01:48.426Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2018-6334",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T16:40:47.018290Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T16:48:40.461Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "HHVM",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "3.25.2"
            },
            {
              "status": "affected",
              "version": "3.25.0"
            },
            {
              "status": "affected",
              "version": "3.24.6"
            },
            {
              "status": "affected",
              "version": "3.22.0"
            },
            {
              "status": "affected",
              "version": "3.21.10"
            },
            {
              "lessThan": "3.21.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "dateAssigned": "2018-03-26T00:00:00.000Z",
      "datePublic": "2018-12-31T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-621",
              "description": "Variable Extraction Error (CWE-621)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-12-31T19:57:01.000Z",
        "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "shortName": "facebook"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assign@fb.com",
          "DATE_ASSIGNED": "2018-03-26",
          "ID": "CVE-2018-6334",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "HHVM",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "3.25.2"
                          },
                          {
                            "version_affected": "=\u003e",
                            "version_value": "3.25.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "3.24.6"
                          },
                          {
                            "version_affected": "=\u003e",
                            "version_value": "3.22.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "3.21.10"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "3.21.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Variable Extraction Error (CWE-621)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff",
              "refsource": "MISC",
              "url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff"
            },
            {
              "name": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html",
              "refsource": "MISC",
              "url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
    "assignerShortName": "facebook",
    "cveId": "CVE-2018-6334",
    "datePublished": "2018-12-31T20:00:00.000Z",
    "dateReserved": "2018-01-26T00:00:00.000Z",
    "dateUpdated": "2025-05-06T16:48:40.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-V7MG-WG5H-PCX8

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6334"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-621"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-31T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).",
  "id": "GHSA-v7mg-wg5h-pcx8",
  "modified": "2022-05-13T01:32:03Z",
  "published": "2022-05-13T01:32:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6334"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff"
    },
    {
      "type": "WEB",
      "url": "https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X962-W72P-MV7Q

Vulnerability from github – Published: 2022-05-17 05:07 – Updated: 2023-08-28 23:52
VLAI
Summary
phpMyAdmin Global variables scope injection vulnerability
Details

import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmyadmin/phpmyadmin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0"
            },
            {
              "fixed": "4.0.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-4729"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-621"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-28T23:52:58Z",
    "nvd_published_at": "2013-07-04T14:33:00Z",
    "severity": "MODERATE"
  },
  "details": "import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request.",
  "id": "GHSA-x962-w72p-mv7q",
  "modified": "2023-08-28T23:52:58Z",
  "published": "2022-05-17T05:07:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4729"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phpmyadmin/phpmyadmin/commit/012464268420e53a9cd81cbb4a43988d70393c36"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/phpmyadmin/phpmyadmin"
    },
    {
      "type": "WEB",
      "url": "http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyAdmin Global variables scope injection vulnerability"
}

Mitigation
Implementation

Strategy: Input Validation

Use allowlists of variable names that can be extracted.

Mitigation
Implementation

Strategy: Refactoring

Consider refactoring your code to avoid extraction routines altogether.

Mitigation
Implementation

In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.

No CAPEC attack patterns related to this CWE.