CWE-621: Variable Extraction Error

ID CWE-621

Abstraction Variant

Structure Simple

Status Incomplete

Number of CVEs 1

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals.

Similar functionality is possible in other interpreted languages, including custom languages.

Modes of Introduction

Phase	Note
Implementation

Applicable Platforms

Type	Class	Name	Prevalence
Language		PHP

Relationships

View			Weakness
# ID	View	Status	# ID	Name	Abstraction	Structure	Status
CWE-1000	Research Concepts	Draft	CWE-914	Improper Control of Dynamically-Identified Variables	Base	Simple	Incomplete
CWE-1000	Research Concepts	Draft	CWE-471	Modification of Assumed-Immutable Data (MAID)	Base	Simple	Draft

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date