1. Home
  2. Weaknesses
  3. CWE-134

CWE-134: Use of Externally-Controlled Format String

ID CWE-134
Abstraction Base
Structure Simple
Status Draft
Number of CVEs 332
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

When an attacker can modify an externally-controlled format string, this can lead to buffer overflows, denial of service, or data representation problems.

It should be noted that in some circumstances, such as internationalization, the set of format strings is externally controlled by design. If the source of these format strings is trusted (e.g. only contained in library files that are only modifiable by the system administrator), then the external control might not itself pose a vulnerability.

Modes of Introduction

Phase Note
Implementation The programmer rarely intends for a format string to be externally-controlled at all. This weakness is frequently introduced in code that constructs log messages, where a constant format string is omitted.
Implementation In cases such as localization and internationalization, the language-specific message repositories could be an avenue for exploitation, but the format string issue would be resultant, since attacker control of those repositories would also allow modification of message length, format, and content.

Applicable Platforms

Type Class Name Prevalence
Language C
Language C++
Language Perl

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-668 Exposure of Resource to Wrong Sphere Class Simple Draft
CWE-1003 Weaknesses for Simplified Mapping of Published Vulnerabilities Incomplete CWE-668 Exposure of Resource to Wrong Sphere Class Simple Draft
CWE-1000 Research Concepts Draft CWE-123 Write-what-where Condition Base Simple Draft
CWE-700 Seven Pernicious Kingdoms Incomplete CWE-20 Improper Input Validation Class Simple Stable

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-67 String Format Overflow in syslog() CWE-134
CAPEC-135 Format String Injection CWE-134

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date