1. Home
  2. Weaknesses
  3. CWE-74

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ID CWE-74
Abstraction Class
Structure Simple
Status Incomplete
Number of CVEs 1020
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Software or other automated logic has certain assumptions about what constitutes data and control respectively. It is the lack of verification of these assumptions for user-controlled input that leads to injection problems. Injection problems encompass a wide variety of issues -- all mitigated in very different ways and usually attempted in order to alter the control flow of the process. For this reason, the most effective way to discuss these weaknesses is to note the distinct features that classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed.

Modes of Introduction

Phase Note
Implementation REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-707 Improper Neutralization Pillar Simple Incomplete

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters CWE-74
CAPEC-6 Argument Injection CWE-74
CAPEC-7 Blind SQL Injection CWE-74
CAPEC-8 Buffer Overflow in an API Call CWE-74
CAPEC-9 Buffer Overflow in Local Command-Line Utilities CWE-74
CAPEC-10 Buffer Overflow via Environment Variables CWE-74
CAPEC-13 Subverting Environment Variable Values CWE-74
CAPEC-14 Client-side Injection-induced Buffer Overflow CWE-74
CAPEC-24 Filter Failure through Buffer Overflow CWE-74
CAPEC-28 Fuzzing CWE-74
CAPEC-34 HTTP Response Splitting CWE-74
CAPEC-42 MIME Conversion CWE-74
CAPEC-43 Exploiting Multiple Input Interpretation Layers CWE-74
CAPEC-45 Buffer Overflow via Symbolic Links CWE-74
CAPEC-46 Overflow Variables and Tags CWE-74
CAPEC-47 Buffer Overflow via Parameter Expansion CWE-74
CAPEC-51 Poison Web Service Registry CWE-74
CAPEC-52 Embedding NULL Bytes CWE-74
CAPEC-53 Postfix, Null Terminate, and Backslash CWE-74
CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic CWE-74
CAPEC-67 String Format Overflow in syslog() CWE-74
CAPEC-71 Using Unicode Encoding to Bypass Validation Logic CWE-74
CAPEC-72 URL Encoding CWE-74
CAPEC-76 Manipulating Web Input to File System Calls CWE-74
CAPEC-78 Using Escaped Slashes in Alternate Encoding CWE-74
CAPEC-79 Using Slashes in Alternate Encoding CWE-74
CAPEC-80 Using UTF-8 Encoding to Bypass Validation Logic CWE-74
CAPEC-83 XPath Injection CWE-74
CAPEC-84 XQuery Injection CWE-74
CAPEC-101 Server Side Include (SSI) Injection CWE-74
CAPEC-105 HTTP Request Splitting CWE-74
CAPEC-108 Command Line Execution through SQL Injection CWE-74
CAPEC-120 Double Encoding CWE-74
CAPEC-135 Format String Injection CWE-74
CAPEC-250 XML Injection CWE-74
CAPEC-267 Leverage Alternate Encoding CWE-74
CAPEC-273 HTTP Response Smuggling CWE-74

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date