1. Home
  2. Weaknesses
  3. CWE-99

CWE-99: Improper Control of Resource Identifiers ('Resource Injection')

ID CWE-99
Abstraction Class
Structure Simple
Status Draft
Number of CVEs 23
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

A resource injection issue occurs when the following two conditions are met:

  1. An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used.
  2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file, run with a configuration controlled by the attacker, or transmit sensitive information to a third-party server.

This may enable an attacker to access or modify otherwise protected system resources.

Modes of Introduction

Phase Note
Architecture and Design
Implementation REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Class Simple Incomplete
CWE-1000 Research Concepts Draft CWE-706 Use of Incorrectly-Resolved Name or Reference Class Simple Incomplete
CWE-1000 Research Concepts Draft CWE-73 External Control of File Name or Path Base Simple Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-10 Buffer Overflow via Environment Variables CWE-99
CAPEC-75 Manipulating Writeable Configuration Files CWE-99
CAPEC-240 Resource Injection CWE-99

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date