Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8271 vulnerabilities reference this CWE, most recent first.

GHSA-XP75-R577-CVHP

Vulnerability from github – Published: 2025-08-08 14:37 – Updated: 2025-08-11 13:56
VLAI
Summary
Privileged OpenBao Operator May Execute Code on the Underlying Host
Details

Impact

Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the ability to update binaries or execute code on the system. Additionally, privileged API operators should be unable to perform TCP connections to arbitrary hosts in the environment OpenBao is executing within. The API-driven audit subsystem granted privileged API operators the ability to do both with an attacker-controlled log prefix. Access to these endpoints should be restricted.

Patches

OpenBao v2.3.2 will patch this issue.

Workarounds

Users may deny all access to the sys/audit/* interface (with create and update) permission via policies with explicit deny grants. This would not restrict root level operators, however, for whom there are no workarounds.

This interface allowed arbitrary filesystem and network (write) access as the user the OpenBao server was running as; in conjunction with allowing custom plugins or other system processes this may enable code execution.

References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:

  • https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
  • https://nvd.nist.gov/vuln/detail/CVE-2025-6000
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250806194004-a14053c9679d"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-08T14:37:22Z",
    "nvd_published_at": "2025-08-09T03:15:46Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nUnder certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the ability to update binaries or execute code on the system. Additionally, privileged API operators should be unable to perform TCP connections to arbitrary hosts in the environment OpenBao is executing within. The API-driven audit subsystem granted privileged API operators the ability to do both with an attacker-controlled log prefix. Access to these endpoints should be restricted.\n\n### Patches\n\nOpenBao v2.3.2 will patch this issue.\n\n### Workarounds\n\nUsers may deny all access to the `sys/audit/*` interface (with `create` and `update`) permission via policies with explicit deny grants. This would not restrict `root` level operators, however, for whom there are no workarounds. \n\nThis interface allowed arbitrary filesystem and network (write) access as the user the OpenBao server was running as; in conjunction with allowing custom plugins or other system processes this may enable code execution.\n\n### References\n\nThis issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033\n- https://nvd.nist.gov/vuln/detail/CVE-2025-6000",
  "id": "GHSA-xp75-r577-cvhp",
  "modified": "2025-08-11T13:56:30Z",
  "published": "2025-08-08T14:37:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54997"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6000"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/pull/1634"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/a14053c9679d6e9cf370f00cf933476cda6d84a2"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/releases/tag/v2.3.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Privileged OpenBao Operator May Execute Code on the Underlying Host"
}

GHSA-XP97-F35X-XJMV

Vulnerability from github – Published: 2021-12-16 00:02 – Updated: 2022-07-13 00:01
VLAI
Details

Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-42309.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-42309.",
  "id": "GHSA-xp97-f35x-xjmv",
  "modified": "2022-07-13T00:01:42Z",
  "published": "2021-12-16T00:02:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42294"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42294"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPG5-44JP-9X4P

Vulnerability from github – Published: 2023-10-06 15:30 – Updated: 2024-04-04 08:22
VLAI
Details

IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-Force ID: 259246.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-06T14:15:11Z",
    "severity": "HIGH"
  },
  "details": "IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw.  IBM X-Force ID:  259246.",
  "id": "GHSA-xpg5-44jp-9x4p",
  "modified": "2024-04-04T08:22:23Z",
  "published": "2023-10-06T15:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35897"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/259246"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7037299"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPP7-FCX9-3JH8

Vulnerability from github – Published: 2022-05-01 18:18 – Updated: 2022-05-01 18:18
VLAI
Details

Microsoft Internet Explorer 5.01 through 7 allows remote attackers to spoof the URL address bar and other "trust UI" components via unspecified vectors, a different issue than CVE-2007-1091 and CVE-2007-3826.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-3892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-10-09T22:17:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Internet Explorer 5.01 through 7 allows remote attackers to spoof the URL address bar and other \"trust UI\" components via unspecified vectors, a different issue than CVE-2007-1091 and CVE-2007-3826.",
  "id": "GHSA-xpp7-fcx9-3jh8",
  "modified": "2022-05-01T18:18:20Z",
  "published": "2022-05-01T18:18:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3892"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-057"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2244"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27133"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1018788"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/482366/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/25915"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA07-282A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/3437"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XPWQ-W665-CF7C

Vulnerability from github – Published: 2022-05-02 06:20 – Updated: 2022-05-02 06:20
VLAI
Details

Unspecified vulnerability in Microsoft Office Excel 2002 SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Excel file, aka "Excel String Variable Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-1252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-06-08T20:30:00Z",
    "severity": "HIGH"
  },
  "details": "Unspecified vulnerability in Microsoft Office Excel 2002 SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Excel file, aka \"Excel String Variable Vulnerability.\"",
  "id": "GHSA-xpwq-w665-cf7c",
  "modified": "2022-05-02T06:20:39Z",
  "published": "2022-05-02T06:20:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1252"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-038"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7369"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/40530"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA10-159B.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XPXR-6MR7-M8W3

Vulnerability from github – Published: 2022-05-17 05:32 – Updated: 2025-04-11 03:53
VLAI
Details

RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted sample size in a RealAudio file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-4251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-11-24T11:55:00Z",
    "severity": "HIGH"
  },
  "details": "RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted sample size in a RealAudio file.",
  "id": "GHSA-xpxr-6mr7-m8w3",
  "modified": "2025-04-11T03:53:01Z",
  "published": "2022-05-17T05:32:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4251"
    },
    {
      "type": "WEB",
      "url": "http://service.real.com/realplayer/security/11182011_player/en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XQ29-JCJ7-XG86

Vulnerability from github – Published: 2022-05-17 01:56 – Updated: 2025-04-12 02:04
VLAI
Summary
Webkit PDFs for TYPO3 allows remote attackers to execute arbitrary commands
Details

Unspecified vulnerability in the Webkit PDFs (webkitpdf) extension before 1.1.4 for TYPO3 allows remote attackers to execute arbitrary commands via unknown vectors.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "dmk/webkitpdf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2010-4962"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-12T02:04:15Z",
    "nvd_published_at": "2011-10-09T10:55:00Z",
    "severity": "HIGH"
  },
  "details": "Unspecified vulnerability in the Webkit PDFs (webkitpdf) extension before 1.1.4 for TYPO3 allows remote attackers to execute arbitrary commands via unknown vectors.",
  "id": "GHSA-xq29-jcj7-xg86",
  "modified": "2025-04-12T02:04:15Z",
  "published": "2022-05-17T01:56:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4962"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61058"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DMKEBUSINESSGMBH/webkitpdf"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20101218181134/http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-015"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20111015170040/http://www.securityfocus.com/bid/42381"
    },
    {
      "type": "WEB",
      "url": "http://typo3.org/extensions/repository/view/webkitpdf/1.1.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Webkit PDFs for TYPO3  allows remote attackers to execute arbitrary commands"
}

GHSA-XQ2H-7FP3-456V

Vulnerability from github – Published: 2025-02-07 18:31 – Updated: 2025-02-07 18:31
VLAI
Details

The WP ALL Export Pro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to improper user input validation and sanitization in all versions up to, and including, 1.9.1. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-07T17:15:30Z",
    "severity": "MODERATE"
  },
  "details": "The WP ALL Export Pro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to improper user input validation and sanitization in all versions up to, and including, 1.9.1. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.",
  "id": "GHSA-xq2h-7fp3-456v",
  "modified": "2025-02-07T18:31:23Z",
  "published": "2025-02-07T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7425"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9205896-487d-4b8f-84cf-7ba16e1205e3?source=cve"
    },
    {
      "type": "WEB",
      "url": "https://www.wpallimport.com/upgrade-to-wp-all-export-pro"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XQ3M-2V4X-88GG

Vulnerability from github – Published: 2026-04-16 22:34 – Updated: 2026-05-04 22:12
VLAI
Summary
Arbitrary code execution in protobufjs
Details

Summary

protobufjs could execute generated JavaScript code derived from protobuf schema metadata. When loading a crafted JSON descriptor, schema-controlled type names and type references could reach runtime code generation without sufficient validation.

Impact

An attacker who can provide a malicious protobuf definition or JSON descriptor to an application may be able to execute arbitrary JavaScript in the context of the process using protobufjs.

This requires control over the protobuf schema or descriptor being loaded. Applications that only decode messages using trusted, application-defined schemas are not directly affected by this issue.

Preconditions

  • The application must allow an attacker to control or influence a protobuf definition or JSON descriptor.
  • The application must load that definition through protobufjs reflection APIs such as descriptor loading.
  • The affected generated-code path must be reached, for example by performing an operation on the loaded type.

Workarounds

Do not load protobuf definitions or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or restrict them before loading and run schema processing in an isolated environment.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T22:34:57Z",
    "nvd_published_at": "2026-04-18T17:16:13Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nprotobufjs could execute generated JavaScript code derived from protobuf schema metadata. When loading a crafted JSON descriptor, schema-controlled type names and type references could reach runtime code generation without sufficient validation.\n\n## Impact\n\nAn attacker who can provide a malicious protobuf definition or JSON descriptor to an application may be able to execute arbitrary JavaScript in the context of the process using protobufjs.\n\nThis requires control over the protobuf schema or descriptor being loaded. Applications that only decode messages using trusted, application-defined schemas are not directly affected by this issue.\n\n## Preconditions\n\n- The application must allow an attacker to control or influence a protobuf definition or JSON descriptor.\n- The application must load that definition through protobufjs reflection APIs such as descriptor loading.\n- The affected generated-code path must be reached, for example by performing an operation on the loaded type.\n\n## Workarounds\n\nDo not load protobuf definitions or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or restrict them before loading and run schema processing in an isolated environment.",
  "id": "GHSA-xq3m-2v4x-88gg",
  "modified": "2026-05-04T22:12:42Z",
  "published": "2026-04-16T22:34:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41242"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/protobufjs/protobuf.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Arbitrary code execution in protobufjs"
}

GHSA-XQ48-PC3G-F75M

Vulnerability from github – Published: 2022-05-01 18:30 – Updated: 2022-05-01 18:30
VLAI
Details

PHP remote file inclusion vulnerability in forum/forum.php in lustig.cms BETA 2.5 allows remote attackers to execute arbitrary PHP code via a URL in the view parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-09-28T21:17:00Z",
    "severity": "MODERATE"
  },
  "details": "PHP remote file inclusion vulnerability in forum/forum.php in lustig.cms BETA 2.5 allows remote attackers to execute arbitrary PHP code via a URL in the view parameter.",
  "id": "GHSA-xq48-pc3g-f75m",
  "modified": "2022-05-01T18:30:35Z",
  "published": "2022-05-01T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5138"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36830"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/4461"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/25833"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.