CWE-242 Base Brouillon High likelihood

Use of Inherently Dangerous Function

This vulnerability occurs when code uses functions that are inherently unsafe and cannot be reliably secured, posing a direct risk to application stability and security.

Définition

What is CWE-242?

This vulnerability occurs when code uses functions that are inherently unsafe and cannot be reliably secured, posing a direct risk to application stability and security.
Some functions are dangerous by design because they were created without security in mind, such as failing to check boundaries on user input. A classic example is the `gets()` function, which reads input without any limit on its size, allowing an attacker to overflow the destination buffer and potentially execute arbitrary code. Similarly, using the `>>` operator to read into a fixed-size character array is risky for the same reason—it doesn't validate input length, leading to buffer overflows. To prevent these issues, developers should replace these inherently dangerous functions with secure alternatives. For instance, use `fgets()` instead of `gets()` and employ methods with explicit bounds checking, like `std::string` in C++ or `scanf()` with width specifiers. Always validate and limit all external input to ensure it fits within the allocated buffer size, eliminating the root cause of these exploitable overflows.
Impact réel

Real-world CVEs caused by CWE-242

  • CVE-2007-4004

    FTP client uses inherently insecure gets() function and is setuid root on some systems, allowing buffer overflow

Comment les attaquants l'exploitent

Parcours de l'attaquant étape par étape

  1. 1

    The code below calls gets() to read information into a buffer.

  2. 2

    The gets() function in C is inherently unsafe.

  3. 3

    The code below calls the gets() function to read in data from the command line.

  4. 4

    However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.

Exemple de code vulnérable

Vulnerable C

The code below calls gets() to read information into a buffer.

Vulnérable C 
char buf[BUFSIZE];
  gets(buf);
Exemple de code sécurisé

Secure pseudo

Sécurisé pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention

How to prevent CWE-242

  • Implementation / Requirements Ban the use of dangerous functions. Use their safe equivalent.
  • Testing Use grep or static analysis tools to spot usage of dangerous functions.
Signaux de détection

How to detect CWE-242

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Correction automatique Plexicus

Plexicus détecte automatiquement CWE-242 et ouvre une PR de correction en moins de 60 secondes.

Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.

Obtenir une démo Essayer Plexicus gratuitement
Questions fréquentes

Frequently asked questions

Qu'est-ce que CWE-242 ?

This vulnerability occurs when code uses functions that are inherently unsafe and cannot be reliably secured, posing a direct risk to application stability and security.

Quelle est la gravité de CWE-242 ?

MITRE évalue la probabilité d'exploitation comme Élevée — cette faiblesse est activement exploitée et doit être priorisée pour la remédiation.

Quels langages ou plateformes sont affectés par CWE-242 ?

MITRE lists the following affected platforms: C, C++.

Comment puis-je prévenir CWE-242 ?

Ban the use of dangerous functions. Use their safe equivalent. Use grep or static analysis tools to spot usage of dangerous functions.

Comment Plexicus détecte et corrige CWE-242 ?

Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-242 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.

Où puis-je en savoir plus sur CWE-242 ?

MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/242.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.

Faiblesses associées

Weaknesses related to CWE-242

CWE-1177 Parent

Use of Prohibited Code

This vulnerability occurs when software incorporates a function, library, or third-party component that has been explicitly banned by the…

CWE-676 Frère

Use of Potentially Dangerous Function

This vulnerability occurs when code calls a function that can be dangerous if misused, but can also be used safely with proper…

Ressources

Further reading

Prêt quand vous l'êtes

Arrêtez de payer par développeur.
Commencez à fermer la boucle.

Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.

Commencer gratuitement Réserver une démo