CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
ID
CWE-77
Abstraction
Class
Structure
Simple
Status
Draft
Number of CVEs
2100
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.
Modes of Introduction
| Phase | Note |
|---|---|
| Implementation | Command injection vulnerabilities typically occur when: Data enters the application from an untrusted source. The data is part of a string that is executed as a command by the application. |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
Applicable Platforms
| Type | Class | Name | Prevalence |
|---|---|---|---|
| Language | Not Language-Specific | ||
| Technology | AI/ML |
Relationships
| View | Weakness | |||||||
|---|---|---|---|---|---|---|---|---|
| # ID | View | Status | # ID | Name | Abstraction | Structure | Status | |
| CWE-1000 | Research Concepts | Draft | CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | Class | Simple | Incomplete | |
| CWE-1003 | Weaknesses for Simplified Mapping of Published Vulnerabilities | Incomplete | CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | Class | Simple | Incomplete | |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org| # ID | Name | Weaknesses |
|---|---|---|
| CAPEC-15 | Command Delimiters | CWE-77 |
| CAPEC-40 | Manipulating Writeable Terminal Devices | CWE-77 |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers | CWE-77 |
| CAPEC-75 | Manipulating Writeable Configuration Files | CWE-77 |
| CAPEC-76 | Manipulating Web Input to File System Calls | CWE-77 |
| CAPEC-136 | LDAP Injection | CWE-77 |
| CAPEC-183 | IMAP/SMTP Command Injection | CWE-77 |
| CAPEC-248 | Command Injection | CWE-77 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |
Loading...