CWE-619 Detail

CWE-619

Dangling Database Cursor ('Cursor Injection')
Incomplete
2007-05-07
00h00 +00:00
2025-04-03
00h00 +00:00
CWE Mitre.org
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Meldingen beheren

Naam: Dangling Database Cursor ('Cursor Injection')

If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor "dangling."

CWE-beschrijving

For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor's role, but SQL injection attacks are commonly possible.

Algemene informatie

Achtergrondinformatie

Introductiemodi

Implementation : This issue is currently reported for unhandled exceptions, but it is theoretically possible any time the programmer does not close the cursor at the proper time.

Toepasselijke platforms

Taal

Name: SQL (Undetermined)

Technologieën

Name: Database Server (Undetermined)

Veelvoorkomende gevolgen

Bereik Impact Waarschijnlijkheid
Confidentiality
Integrity		Read Application Data, Modify Application Data

Mogelijke risicobeperkingen

Phases : Implementation
Close cursors immediately after access to them is complete. Ensure that you close cursors if exceptions occur.

Notities kwetsbaarheidsmapping

Rechtvaardiging : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Referenties

REF-505

The Oracle Hacker's Handbook
David Litchfield.

REF-506

Cursor Injection
David Litchfield.
http://www.davidlitchfield.com/cursor-injection.pdf

Indiening

Naam Organisatie Datum Releasedatum Version
CWE Content Team MITRE 2007-05-07 +00:00 2007-05-07 +00:00 Draft 6

Wijzigingen

Naam Organisatie Datum Opmerking
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Other_Notes
CWE Content Team MITRE 2008-10-14 +00:00 updated Background_Details, Description, Relationships
CWE Content Team MITRE 2009-05-27 +00:00 updated Name
CWE Content Team MITRE 2009-10-29 +00:00 updated Modes_of_Introduction, Other_Notes, Weakness_Ordinalities
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-04-03 +00:00 updated Applicable_Platforms
De informatie die op CVE Find wordt gepresenteerd, is afkomstig van verschillende zorgvuldig geselecteerde referentiebronnen. CVE-gegevens worden geleverd door MITRE Corporation en de National Vulnerability Database (NVD). De Known Exploited Vulnerabilities (KEV)-catalogus is afkomstig van de Cybersecurity and Infrastructure Security Agency (CISA), terwijl EPSS-scores afkomstig zijn van FIRST.org. Daarnaast worden gegevens over softwarezwakheden (CWE) en veelvoorkomende aanvalspatronen (CAPEC) bijgehouden door MITRE Corporation, en informatie over hardware- en softwareconfiguraties (CPE) wordt geleverd door de NVD.