Détail du CWE-914

CWE-914

Improper Control of Dynamically-Identified Variables
Incomplete
2013-02-21
00h00 +00:00
2023-10-26
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Improper Control of Dynamically-Identified Variables

The product does not properly restrict reading from or writing to dynamically-identified variables.

Description du CWE

Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.

Informations générales

Modes d'introduction

Implementation

Conséquences courantes

Portée Impact Probabilité
IntegrityModify Application Data

Note: An attacker could modify sensitive data or program variables.
IntegrityExecute Unauthorized Code or Commands
Other
Integrity		Varies by Context, Alter Execution Logic

Exemples observés

Références Description

CVE-2006-7135

extract issue enables file inclusion

CVE-2006-7079

Chain: extract used for register_globals compatibility layer, enables path traversal (CWE-22)

CVE-2007-0649

extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.

CVE-2006-6661

extract() enables static code injection

CVE-2006-2828

import_request_variables() buried in include files makes post-disclosure analysis confusing

CVE-2009-0422

Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.

CVE-2007-2431

Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.

CVE-2006-4904

Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.

CVE-2006-4019

Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.

Mesures d’atténuation potentielles

Phases : Implementation
For any externally-influenced input, check the input against an allowlist of internal program variables that are allowed to be modified.
Phases : Implementation // Architecture and Design
Refactor the code so that internal program variables do not need to be dynamically identified.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Soumission

Nom Organisation Date Date de publication Version
CWE Content Team MITRE 2013-01-26 +00:00 2013-02-21 +00:00 2.4

Modifications

Nom Organisation Date Commentaire
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.