CWE-943
Improper Neutralization of Special Elements in Data Query Logic
Incomplete
2014-06-23
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notificações para um CWE
Fique informado sobre quaisquer alterações para um CWE específico.
Nome: Improper Neutralization of Special Elements in Data Query Logic
The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Informações Gerais
Modos de Introdução
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.Plataformas Aplicáveis
Linguagem
Class: Not Language-Specific (Undetermined)Consequências Comuns
| Escopo | Impacto | Probabilidade |
|---|---|---|
| Confidentiality Integrity Availability Access Control | Bypass Protection Mechanism, Read Application Data, Modify Application Data, Varies by Context |
Exemplos Observados
| Referências | Descrição |
|---|---|
CVE-2024-50672 | NoSQL injection in product for building eLearning courses allows password resets using a query processed by the Mongoose find function |
CVE-2021-20736 | NoSQL injection in team collaboration product |
CVE-2020-35666 | NoSQL injection in a PaaS platform using a MongoDB operator |
CVE-2014-2503 | Injection using Documentum Query Language (DQL) |
CVE-2014-2508 | Injection using Documentum Query Language (DQL) |
Métodos de Detecção
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Eficácia : High
Notas de Mapeamento de Vulnerabilidade
Justificativa : This CWE entry is a Class and might have Base-level children that would be more appropriateComentário : Examine children of this entry to see if there is a better fit
Padrões de Ataque Relacionados
| CAPEC-ID | Nome do Padrão de Ataque |
|---|---|
| CAPEC-676 | NoSQL Injection
|
Notas
It could be argued that data query languages are effectively a command language - albeit with a limited set of commands - and thus any query-language injection issue could be treated as a child of CWE-74. However, CWE-943 is intended to better organize query-oriented issues to separate them from fully-functioning programming languages, and also to provide a more precise identifier for the many query languages that do not have their own CWE identifier.Referências
REF-1454
NoSQL injectionPortSwigger.
https://portswigger.net/web-security/nosql-injection
REF-1455
A Pentester's Guide to NoSQL InjectionThe SecOps Group.
https://secops.group/a-pentesters-guide-to-nosql-injection/
Submissão
| Nome | Organização | Data | Data de lançamento | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 2.7 |
Modificações
| Nome | Organização | Data | Comentário |
|---|---|---|---|
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Modes_of_Introduction, Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Maintenance_Notes | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Detection_Factors, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Alternate_Terms, Observed_Examples, References | |
| CWE Content Team | MITRE | updated Weakness_Ordinalities |
