{"@ID": "913", "@Name": "Improper Control of Dynamically-Managed Code Resources", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.", "Extended_Description": "Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "664", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": [{"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, {"@Class": "Interpreted", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation"}]}, "Common_Consequences": {"Consequence": [{"Scope": "Integrity", "Impact": "Execute Unauthorized Code or Commands"}, {"Scope": ["Other", "Integrity"], "Impact": ["Varies by Context", "Alter Execution Logic"]}]}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-13", "Method": "Fuzzing", "Description": "Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Implementation", "Strategy": "Input Validation", "Description": "For any externally-influenced input, check the input against an allowlist of acceptable values."}, {"Phase": ["Implementation", "Architecture and Design"], "Strategy": "Refactoring", "Description": "Refactor the code so that it does not need to be dynamically managed."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-32", "Intro_Text": "This example attempts to write user messages to a message file and allow users to view them.", "Example_Code": [{"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:br": [null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null], "#text": "$name = $_GET[\"name\"];$message = $_GET[\"message\"];$handle = fopen($MessageFile, \"a+\");fwrite($handle, \"<b>$name</b> says '$message'<hr>\\n\");fclose($handle);echo \"Message Saved!<p>\\n\";"}, {"@style": "margin-left:1em;", "#text": "include($MessageFile);"}], "#text": "$MessageFile = \"messages.out\";if ($_GET[\"action\"] == \"NewMessage\") {}else if ($_GET[\"action\"] == \"ViewMessages\") {}"}}, {"@Nature": "Attack", "xhtml:div": {"xhtml:br": null, "#text": "name=h4x0rmessage=%3C?php%20system(%22/bin/ls%20-l%22);?%3E"}}, {"@Nature": "Attack", "xhtml:div": "<?php system(\"/bin/ls -l\");?>"}], "Body_Text": ["While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as:", "which will decode to the following:", "The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages.", "Notice that XSS (CWE-79) is also possible in this situation."]}, {"@Demonstrative_Example_ID": "DX-232", "Intro_Text": "A common reason that programmers use the\n               reflection API is to implement their own command\n               dispatcher. The following example shows a command\n               dispatcher that does not use reflection:", "Example_Code": [{"@Nature": "Good", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "#text": "ao = new AddCommand();"}, {"@style": "margin-left:1em;", "#text": "ao = new ModifyCommand();"}, {"@style": "margin-left:1em;", "#text": "throw new UnknownActionError();"}], "#text": "String ctl = request.getParameter(\"ctl\");\n\t\t\t\t  Worker ao = null;\n\t\t\t\t  if (ctl.equals(\"Add\")) {\n\t\t\t\t  \n\t\t\t\t  }\n\t\t\t\t  else if (ctl.equals(\"Modify\")) {\n\t\t\t\t  \n\t\t\t\t  }\n\t\t\t\t  else {\n\t\t\t\t  }\n\t\t\t\t  \n\t\t\t\t  ao.doAction(request);"}}, {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null], "#text": "String ctl = request.getParameter(\"ctl\");\n\t\t\t\t\tClass cmdClass = Class.forName(ctl + \"Command\");\n\t\t\t\t\tWorker ao = (Worker) cmdClass.newInstance();\n\t\t\t\t\tao.doAction(request);"}}, {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null, null], "#text": "String ctl = request.getParameter(\"ctl\");\n\t\t\t\t   Class cmdClass = Class.forName(ctl + \"Command\");\n\t\t\t\t   Worker ao = (Worker) cmdClass.newInstance();\n\t\t\t\t   ao.checkAccessControl(request);\n\t\t\t\t   ao.doAction(request);"}}], "Body_Text": ["A programmer might refactor this code to use reflection as follows:", {"xhtml:p": ["The refactoring initially appears to offer a\n\t\t\t\t number of advantages. There are fewer lines of code,\n\t\t\t\t the if/else blocks have been entirely eliminated, and\n\t\t\t\t it is now possible to add new command types without\n\t\t\t\t modifying the command dispatcher.", "However, the refactoring allows an attacker to\n\t\t\t\t instantiate any object that implements the Worker\n\t\t\t\t interface. If the command dispatcher is still\n\t\t\t\t responsible for access control, then whenever\n\t\t\t\t programmers create a new class that implements the\n\t\t\t\t Worker interface, they must remember to modify the\n\t\t\t\t dispatcher's access control code. If they do not modify\n\t\t\t\t the access control code, then some Worker classes will\n\t\t\t\t not have any access control."]}, "One way to address this access control\n               problem is to make the Worker object responsible for\n               performing the access control check. An example of the\n               re-refactored code follows:", "Although this is an improvement, it\n               encourages a decentralized approach to access control,\n               which makes it easier for programmers to make access\n               control mistakes.", "This code also highlights another security\n\t\t\t   problem with using reflection to build a command\n\t\t\t   dispatcher. An attacker can invoke the default\n\t\t\t   constructor for any kind of object. In fact, the\n\t\t\t   attacker is not even constrained to objects that\n\t\t\t   implement the Worker interface; the default constructor\n\t\t\t   for any object in the system can be invoked. If the\n\t\t\t   object does not implement the Worker interface, a\n\t\t\t   ClassCastException will be thrown before the assignment\n\t\t\t   to ao, but if the constructor performs operations that\n\t\t\t   work in the attacker's favor, the damage will already\n\t\t\t   have been done. Although this scenario is relatively\n\t\t\t   benign in simple products, in larger products where\n\t\t\t   complexity grows exponentially, it is not unreasonable\n\t\t\t   that an attacker could find a constructor to leverage\n\t\t\t   as part of an attack."]}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2022-2054", "Description": "Python compiler uses eval() to execute malicious strings as Python code.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-2054"}, {"Reference": "CVE-2018-1000613", "Description": "Cryptography API uses unsafe reflection when deserializing a private key", "Link": "https://www.cve.org/CVERecord?id=CVE-2018-1000613"}, {"Reference": "CVE-2015-8103", "Description": "Deserialization issue in commonly-used Java library allows remote execution.", "Link": "https://www.cve.org/CVERecord?id=CVE-2015-8103"}, {"Reference": "CVE-2006-7079", "Description": "Chain: extract used for register_globals compatibility layer, enables path traversal (CWE-22)", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-7079"}, {"Reference": "CVE-2012-2055", "Description": "Source version control product allows modification of trusted key using mass assignment.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-2055"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review", "Rationale": "This CWE entry is a Class and might have Base-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2013-01-26", "Submission_Version": "2.4", "Submission_ReleaseDate": "2013-02-21"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2015-12-07", "Modification_Version": "2.9", "Modification_ReleaseDate": "2015-12-07", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-01-19", "Modification_Version": "2.10", "Modification_ReleaseDate": "2017-01-19", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-06-25", "Modification_Version": "4.1", "Modification_ReleaseDate": "2020-06-25", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Demonstrative_Examples, Weakness_Ordinalities"}]}}
