CWE-94: Improper Control of Generation of Code ('Code Injection')

ID CWE-94
Abstraction Base
Structure Simple
Status Draft
Number of CVEs 3327
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

When a product allows a user's input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the product. Such an alteration could lead to arbitrary code execution.

Injection problems encompass a wide variety of issues -- all mitigated in very different ways. For this reason, the most effective way to discuss these weaknesses is to note the distinct features which classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed. The most classic instantiations of this category of weakness are SQL injection and format string vulnerabilities.

Modes of Introduction

Phase Note
Implementation REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Type Class Name Prevalence
Language Interpreted

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Class Simple Incomplete
CWE-1003 Weaknesses for Simplified Mapping of Published Vulnerabilities Incomplete CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Class Simple Incomplete
CWE-1000 Research Concepts Draft CWE-913 Improper Control of Dynamically-Managed Code Resources Class Simple Incomplete

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at MITRE.org
# ID Name
CAPEC-35 Leverage Executable Code in Non-Executable Files
CAPEC-77 Manipulating User-Controlled Variables
CAPEC-242 Code Injection

CVEs Published

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date
Loading...
Loading...