Category: SFP Secondary Cluster: Tainted Input to Command
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-102 | Struts: Duplicate Validation Forms | This vulnerability occurs when an application defines multiple Struts validation forms with identical names. The framework then unpredictably selects only one form for validation, potentially bypassing intended security checks. |
| CWE-103 | Struts: Incomplete validate() Method Definition | This vulnerability occurs in a Struts application when a validator form either completely omits a validate() method or includes one but fails to call super.validate() within it. |
| CWE-104 | Struts: Form Bean Does Not Extend Validation Class | This vulnerability occurs in Apache Struts applications when a form bean class does not properly extend the framework's validation class. This bypasses the built-in Validator framework, leaving the application without structured input validation and open to various injection and data manipulation attacks. |
| CWE-105 | Struts: Form Field Without Validator | This vulnerability occurs when a Struts application form contains an input field that lacks a corresponding validator, leaving it open to unverified user input. |
| CWE-106 | Struts: Plug-in Framework not in Use | This weakness occurs when a Java application, particularly one using the Struts framework, does not implement a structured input validation plugin like the Struts Validator. Skipping this framework forces developers to write custom validation logic, which is often error-prone and increases the risk of security flaws from improperly handled user input. |
| CWE-107 | Struts: Unused Validation Form | This vulnerability occurs when a Struts application contains validation form definitions that are no longer linked to any active form or action, leaving outdated security rules in the codebase. |
| CWE-108 | Struts: Unvalidated Action Form | In Apache Struts, every Action Form that processes user input must have a corresponding validation form configured. Missing this validation exposes the application to unvalidated data. |
| CWE-109 | Struts: Validator Turned Off | This vulnerability occurs when an application built with Apache Struts intentionally disables its built-in validation framework. By turning off the Struts Validator bean, developers remove critical automatic input filtering and custom validation rules, leaving the application unprotected against malicious or malformed data. |
| CWE-110 | Struts: Validator Without Form Field | This vulnerability occurs when a Struts application's validation configuration file references form fields that no longer exist in the corresponding ActionForm class. This mismatch indicates outdated validation logic that can fail to properly check user input. |
| CWE-112 | Missing XML Validation | This vulnerability occurs when an application processes XML data from an untrusted source without first validating its structure and content against a defined schema. |
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | This vulnerability occurs when an application accepts user-supplied data and includes it directly in HTTP headers without properly filtering out carriage return (CR) and line feed (LF) characters. This allows an attacker to inject new headers or split a single HTTP response into two separate responses, corrupting the intended communication flow. |
| CWE-130 | Improper Handling of Length Parameter Inconsistency | This vulnerability occurs when a program reads a structured data packet or message but fails to properly validate that the declared length field matches the actual amount of data provided. |
| CWE-134 | Use of Externally-Controlled Format String | This vulnerability occurs when a program uses a format string from an untrusted, external source (like user input, a network packet, or a file) in a formatting function (e.g., printf, sprintf). An attacker can craft a malicious format string to read or write memory, potentially crashing the application or executing arbitrary code. |
| CWE-138 | Improper Neutralization of Special Elements | This vulnerability occurs when an application accepts external input but fails to properly sanitize special characters or syntax that have specific meanings in the target interpreter or protocol. This allows attackers to inject control elements that alter how downstream components process the data. |
| CWE-140 | Improper Neutralization of Delimiters | This vulnerability occurs when an application fails to properly handle or sanitize delimiter characters within data inputs, allowing them to be misinterpreted by downstream systems. |
| CWE-141 | Improper Neutralization of Parameter/Argument Delimiters | This vulnerability occurs when an application fails to properly sanitize special characters that act as delimiters in data being passed between system components. Attackers can inject these characters to manipulate how downstream processes interpret command arguments or parameter lists. |
| CWE-142 | Improper Neutralization of Value Delimiters | This vulnerability occurs when an application fails to properly sanitize or escape special characters that act as data separators (delimiters) before passing that data to another system or component. An attacker can inject these characters to manipulate how the downstream process interprets the data structure. |
| CWE-143 | Improper Neutralization of Record Delimiters | This vulnerability occurs when an application fails to properly sanitize or escape special characters that function as record separators in data streams. When untrusted input containing these delimiters is passed to a downstream system, it can corrupt data structures, cause misinterpretation of records, or trigger unauthorized actions. |
| CWE-144 | Improper Neutralization of Line Delimiters | This vulnerability occurs when an application fails to properly sanitize or escape line break characters (like newline or carriage return) in user-supplied input before passing that data to another system or component. |
| CWE-145 | Improper Neutralization of Section Delimiters | This vulnerability occurs when an application fails to properly sanitize or validate special characters that act as section delimiters in data streams. When this unsanitized input is passed to another component, these delimiters can be misinterpreted, leading to incorrect data parsing or unintended behavior. |
| CWE-146 | Improper Neutralization of Expression/Command Delimiters | This vulnerability occurs when an application fails to properly sanitize input that contains special characters used as delimiters in expressions or commands. When this unsanitized input is passed to another component for processing, those characters can be misinterpreted, altering the intended logic or structure. |
| CWE-147 | Improper Neutralization of Input Terminators | This vulnerability occurs when an application accepts external input but fails to properly handle special characters that downstream systems interpret as commands to stop processing data. |
| CWE-148 | Improper Neutralization of Input Leaders | This vulnerability occurs when an application fails to properly validate or handle input that begins with special control characters or sequences, known as 'leaders.' Issues arise when a required leader is missing, malformed, or when too many leaders are present where only one is expected. |
| CWE-149 | Improper Neutralization of Quoting Syntax | This vulnerability occurs when an application fails to properly validate or escape quote characters (like single ' or double " quotes) in user input. Attackers can inject these quotes to manipulate how the system interprets data, often breaking out of intended data fields to execute unauthorized commands or alter program logic. |
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences | This vulnerability occurs when an application fails to properly sanitize or escape special character sequences in user-supplied input before passing that data to another system or component. Attackers can inject escape, meta, or control sequences to manipulate how the downstream component interprets the data, often leading to command execution, data corruption, or unauthorized actions. |
| CWE-151 | Improper Neutralization of Comment Delimiters | This vulnerability occurs when an application accepts user input and fails to properly sanitize characters that can be interpreted as comment markers (like /*, */, //, #, or <!--) before passing that data to another system component. This allows an attacker to inject malicious comments that can break data processing, alter logic, or expose sensitive information. |
| CWE-152 | Improper Neutralization of Macro Symbols | This vulnerability occurs when an application accepts user input containing macro symbols (like those used in templates or configuration files) and passes it along without properly sanitizing it. This allows attackers to inject malicious macro commands that get executed by downstream systems, potentially leading to data manipulation, system access, or other unintended behaviors. |
| CWE-153 | Improper Neutralization of Substitution Characters | This vulnerability occurs when an application accepts user input and fails to properly sanitize special characters that can trigger command or variable substitution before passing that data to another system component. This allows attackers to inject malicious substitutions that alter the system's intended behavior. |
| CWE-154 | Improper Neutralization of Variable Name Delimiters | This vulnerability occurs when an application fails to properly sanitize or escape special characters that act as delimiters for variable names before passing data to another component. Attackers can inject these delimiters to manipulate how variables are interpreted. |
| CWE-155 | Improper Neutralization of Wildcards or Matching Symbols | This vulnerability occurs when an application fails to properly sanitize user-supplied input containing wildcard characters (like *, ?, or [ ]) before passing it to a command or function that interprets them as pattern-matching symbols. |
| CWE-156 | Improper Neutralization of Whitespace | This vulnerability occurs when an application fails to properly handle or sanitize whitespace characters in input before passing that data to another system component. This allows special whitespace elements to be interpreted incorrectly downstream, potentially altering how the data is processed. |
| CWE-157 | Failure to Sanitize Paired Delimiters | This vulnerability occurs when an application fails to properly validate or neutralize the special characters that come in pairs to define boundaries, such as parentheses, brackets, quotes, or braces. Attackers can exploit this oversight to manipulate data structure, inject malicious code, or cause the application to crash. |
| CWE-158 | Improper Neutralization of Null Byte or NUL Character | This weakness occurs when an application receives data but fails to properly handle or remove NUL characters (\0) before passing that data to another system component. |
| CWE-159 | Improper Handling of Invalid Use of Special Elements | This vulnerability occurs when an application fails to properly validate or neutralize special characters and control elements within user-supplied input. Without this filtering, attackers can inject these elements to manipulate the application's logic, leading to security breaches or system instability. |
| CWE-160 | Improper Neutralization of Leading Special Elements | This vulnerability occurs when an application accepts external input but fails to properly sanitize leading special characters or commands before passing that data to another system component. This allows an attacker to inject unexpected instructions at the beginning of the data stream. |
| CWE-161 | Improper Neutralization of Multiple Leading Special Elements | This vulnerability occurs when an application accepts external input but fails to properly sanitize multiple special characters or sequences at the beginning of that input before passing it to another system component. This allows an attacker to inject unexpected commands or data structures. |
| CWE-162 | Improper Neutralization of Trailing Special Elements | This vulnerability occurs when an application fails to properly sanitize or remove trailing special characters from user-supplied input before passing it to another system component. These leftover characters can trick the downstream parser into executing unintended commands or altering the data flow. |
| CWE-163 | Improper Neutralization of Multiple Trailing Special Elements | This vulnerability occurs when software accepts external input but fails to properly sanitize or incorrectly handles multiple trailing special characters or elements. When this unsanitized data is passed to another system component, these elements can be interpreted in harmful, unintended ways. |
| CWE-164 | Improper Neutralization of Internal Special Elements | This vulnerability occurs when an application accepts data from a source but fails to properly sanitize internal control elements or metadata before passing it to another internal component. This can cause the downstream component to misinterpret the data and perform unintended actions. |
| CWE-165 | Improper Neutralization of Multiple Internal Special Elements | This vulnerability occurs when an application accepts external input but fails to properly sanitize multiple internal control characters or delimiters before passing that data to another internal component. This can cause the downstream component to misinterpret the data and execute unintended commands. |
| CWE-183 | Permissive List of Allowed Inputs | This vulnerability occurs when an application's security filter uses an allowlist that is too broad, mistakenly permitting dangerous inputs that should have been blocked. The flawed assumption that everything on the list is safe creates a direct path for attackers to exploit the system. |
| CWE-184 | Incomplete List of Disallowed Inputs | This vulnerability occurs when a security filter or validation mechanism relies on a 'denylist'—a predefined list of forbidden inputs—but that list is missing critical entries. Attackers can bypass the protection by using variations or inputs the developers didn't anticipate. |
| CWE-185 | Incorrect Regular Expression | This vulnerability occurs when a regular expression is written incorrectly, causing it to match or validate data in unintended and potentially dangerous ways. |
| CWE-186 | Overly Restrictive Regular Expression | This weakness occurs when a regular expression is too narrow, failing to detect all the dangerous or unexpected input values it was designed to catch. |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | This weakness occurs when a proxy, firewall, or other intermediary HTTP agent interprets a malformed HTTP request or response differently than the final destination server or client. This inconsistency allows an attacker to craft messages that bypass the intermediary's security checks. |
| CWE-553 | Command Shell in Externally Accessible Directory | This vulnerability occurs when a command shell script is placed in a web-accessible directory, such as /cgi-bin/. Attackers can directly request this file to execute arbitrary commands on the server, leading to full system compromise. |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | This vulnerability occurs when an ASP.NET application fails to implement a structured input validation framework, relying instead on ad-hoc or missing validation checks. |
| CWE-564 | SQL Injection: Hibernate | This vulnerability occurs when an application uses Hibernate to construct dynamic SQL queries with unsanitized user input, allowing an attacker to alter the query's logic or execute unauthorized SQL commands. |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | An open redirect vulnerability occurs when a web application uses unvalidated user input to determine the destination of a redirect, allowing an attacker to send users to an untrusted, external website. |
| CWE-611 | Improper Restriction of XML External Entity Reference | This vulnerability occurs when an application processes XML input without properly restricting external entity references. Attackers can exploit this to read local files, trigger internal network requests, or cause denial of service. |
| CWE-619 | Dangling Database Cursor ('Cursor Injection') | A dangling database cursor occurs when a database cursor is not properly closed, potentially allowing other users to access it while it retains its original, often elevated, privileges. |
| CWE-621 | Variable Extraction Error | This vulnerability occurs when an application uses unvalidated external input to dynamically select which variables to populate with data. Without proper checks, this can allow an attacker to overwrite critical internal variables, leading to unexpected behavior or security breaches. |
| CWE-624 | Executable Regular Expression Error | This vulnerability occurs when an application uses a regular expression that can execute code, either because it directly contains executable logic with unsafe user input, or because an attacker can inject pattern modifiers that enable code execution. |
| CWE-625 | Permissive Regular Expression | This weakness occurs when a regular expression is too permissive, failing to properly validate or sanitize input by allowing unintended values or patterns. |
| CWE-626 | Null Byte Interaction Error (Poison Null Byte) | This vulnerability occurs when software incorrectly processes null bytes (NUL characters) as data moves between different systems or programming languages, leading to unexpected and potentially dangerous behavior. |
| CWE-627 | Dynamic Variable Evaluation | This vulnerability occurs when an application allows user input to directly determine which variable or function name is used at runtime. Without strict validation, an attacker can manipulate these names to access or modify sensitive data, execute unauthorized functions, or disrupt the application's logic. |
| CWE-641 | Improper Restriction of Names for Files and Other Resources | This vulnerability occurs when an application creates file or resource names using unvalidated user input, failing to properly limit what characters or paths can be used. |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | XPath Injection occurs when an application uses unvalidated user input to build an XPath query for an XML database. Without proper sanitization, attackers can manipulate the query's structure. |
| CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax | This vulnerability occurs when an application fails to properly sanitize or escape user-controlled data placed within HTTP response headers. Malicious scripting syntax can then be injected and executed by client-side components like Flash that process raw headers. |
| CWE-646 | Reliance on File Name or Extension of Externally-Supplied File | This vulnerability occurs when an application uses the name or extension of an uploaded file to decide how to handle it. Attackers can manipulate this by uploading files with deceptive names, causing the application to process them incorrectly and potentially dangerously. |
| CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') | XQuery Injection occurs when an application uses unvalidated user input to build an XQuery expression for querying an XML database. Without proper neutralization, an attacker can manipulate the query's structure. |
| CWE-687 | Function Call With Incorrectly Specified Argument Value | This vulnerability occurs when a function is called with an argument that holds an incorrect or unexpected value, leading to unintended program behavior or security flaws. |
| CWE-707 | Improper Neutralization | This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external source or sent to another component. This allows malformed messages to be processed, which can lead to misinterpretation and security breaches. |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | This vulnerability occurs when an application uses untrusted external input to build a command, query, or data structure for another component, but fails to properly sanitize special characters or syntax. This allows the input to alter the intended meaning or behavior when the downstream component processes it. |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | This vulnerability occurs when an application fails to properly filter or encode user-supplied data containing special characters or commands that can be interpreted in a different context, such as a command shell, file system, or data format. |
| CWE-76 | Improper Neutralization of Equivalent Special Elements | This vulnerability occurs when an application successfully blocks or sanitizes a known set of dangerous inputs but fails to recognize and handle alternative forms that have the same meaning or effect. |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | This vulnerability occurs when an application builds a system command using untrusted user input without properly sanitizing it. An attacker can inject their own commands by inserting special characters or code, tricking the application into executing unintended and potentially harmful actions on the underlying system. |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary commands on the underlying operating system. |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | This vulnerability occurs when a web application fails to properly sanitize or encode user-supplied input before displaying it on a webpage viewed by other users. |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | This vulnerability, commonly known as Basic Cross-Site Scripting (XSS), occurs when a web application fails to properly sanitize user input containing HTML and JavaScript tags. When untrusted data containing characters like <, >, and & is rendered directly into a webpage, a browser may execute it as active code, not just display it as text. |
| CWE-81 | Improper Neutralization of Script in an Error Message Web Page | This vulnerability occurs when an application fails to properly sanitize user-supplied input before displaying it within an error message web page. If special characters used in web scripts are not neutralized, an attacker can inject malicious code that executes in a user's browser. |
| CWE-82 | Improper Neutralization of Script in Attributes of IMG Tags in a Web Page | This vulnerability occurs when a web application fails to properly sanitize or escape script code within the attributes of HTML IMG tags, such as the 'src' attribute. |
| CWE-83 | Improper Neutralization of Script in Attributes in a Web Page | This vulnerability occurs when a web application fails to properly sanitize or block JavaScript URIs (like 'javascript:') within HTML tag attributes. Attackers can inject malicious code into attributes such as onmouseover, onload, onerror, or style, leading to cross-site scripting (XSS) attacks when the page renders. |
| CWE-84 | Improper Neutralization of Encoded URI Schemes in a Web Page | This vulnerability occurs when a web application fails to properly sanitize user-supplied input that contains malicious scripts disguised using encoded URI schemes like `javascript:` or `data:`. |
| CWE-85 | Doubled Character XSS Manipulations | This vulnerability occurs when a web application fails to properly sanitize user input that contains doubled characters, allowing attackers to bypass filters and inject malicious scripts. |
| CWE-86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | This vulnerability occurs when an application fails to properly filter or escape invalid characters within web identifiers like HTML tag names or URI schemes, allowing malicious sequences to pass through. |
| CWE-87 | Improper Neutralization of Alternate XSS Syntax | This vulnerability occurs when an application fails to properly sanitize user-supplied input that uses alternative methods to execute cross-site scripting (XSS) attacks. |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | This vulnerability occurs when an application builds a command string for execution by another component, but fails to properly separate or 'neutralize' the intended arguments. This allows an attacker to inject additional command-line arguments, options, or switches by including argument-separating characters (like spaces or dashes) in untrusted input. |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | SQL Injection occurs when an application builds a database query using untrusted user input without properly sanitizing it. This allows an attacker to insert malicious SQL code that the database executes, potentially letting them view, modify, or delete sensitive data. |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | This vulnerability occurs when an application builds an LDAP query using untrusted user input without properly sanitizing it. An attacker can inject special characters or commands to alter the query's logic, potentially gaining unauthorized access to, modifying, or extracting sensitive directory information. |
| CWE-91 | XML Injection (aka Blind XPath Injection) | XML Injection occurs when an application fails to properly validate or escape user-controlled input before including it in XML documents or queries. This allows attackers to inject malicious XML elements or syntax, potentially altering the document's structure, extracting sensitive data, or disrupting processing logic. |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | This vulnerability occurs when an application uses carriage return and line feed characters (CRLF) to structure data, like separating lines or records, but fails to properly sanitize these sequences from user-supplied input before processing. |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | This vulnerability occurs when an application takes user input and passes it directly into a dynamic code execution function, like eval(), without properly sanitizing it. This allows an attacker to inject and execute arbitrary code within the application's context. |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | Static Code Injection occurs when an application incorporates unvalidated or improperly sanitized user input directly into a static, executable resource like a configuration file, template, or library. Because this input is saved and later executed, it allows an attacker to inject malicious code that becomes a permanent part of the application's logic. |
| CWE-97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | This vulnerability occurs when a web application dynamically generates pages but fails to properly sanitize user-supplied input that could be interpreted as server-side include (SSI) commands, allowing an attacker to inject malicious directives. |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | This vulnerability occurs when an application accepts user input as a resource identifier (like a file path or port number) without proper validation, allowing an attacker to access or manipulate resources outside the intended scope. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.