Common Weakness Enumeration

CWE-134

Allowed

Use of Externally-Controlled Format String

Abstraction: Base · Status: Draft

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

501 vulnerabilities reference this CWE, most recent first.

GHSA-H69R-JW3J-854F

Vulnerability from github – Published: 2024-07-11 18:31 – Updated: 2024-09-23 15:31
VLAI
Details

A Use of Externally-Controlled Format String vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).

If DNS Domain Generation Algorithm (DGA) detection or tunnel detection, and DNS-filtering traceoptions are configured, and specific valid transit DNS traffic is received this causes a PFE crash and restart, leading to a Denial of Service.

This issue affects Junos OS: * All versions before 21.4R3-S6, * 22.2 versions before 22.2R3-S3, * 22.3 versions before 22.3R3-S3, * 22.4 versions before 22.4R3, * 23.2 versions before 23.2R2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39529"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-11T16:15:04Z",
    "severity": "HIGH"
  },
  "details": "A Use of Externally-Controlled Format String vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a\u00a0Denial-of-Service (DoS).\n\n\n\nIf DNS Domain Generation Algorithm (DGA) detection or tunnel detection, and DNS-filtering traceoptions are configured, and specific valid transit DNS traffic is received this causes\u00a0a PFE crash and restart, leading to a Denial of Service.\n\nThis issue affects Junos OS: \n  *  All versions before 21.4R3-S6,\n  *  22.2 versions before 22.2R3-S3,\n  *  22.3 versions before 22.3R3-S3,\n  *  22.4 versions before 22.4R3,\n  *  23.2 versions before 23.2R2.",
  "id": "GHSA-h69r-jw3j-854f",
  "modified": "2024-09-23T15:31:00Z",
  "published": "2024-07-11T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39529"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA82988"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H6FJ-J4MH-7X7H

Vulnerability from github – Published: 2022-05-17 01:48 – Updated: 2022-05-17 01:48
VLAI
Details

Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-1151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-09-09T21:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function.",
  "id": "GHSA-h6fj-j4mh-7x7h",
  "modified": "2022-05-17T01:48:46Z",
  "published": "2022-05-17T01:48:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1151"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=801733"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73854"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73855"
    },
    {
      "type": "WEB",
      "url": "https://rt.cpan.org/Public/Bug/Display.html?id=75642"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661536"
    },
    {
      "type": "WEB",
      "url": "http://cpansearch.perl.org/src/TURNSTEP/DBD-Pg-2.19.1/Changes"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2012-1116.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48307"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48319"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48824"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-201204-08.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2012/dsa-2431"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:112"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/03/09/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/03/10/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H862-M45V-WG8W

Vulnerability from github – Published: 2022-05-01 06:42 – Updated: 2022-05-01 06:42
VLAI
Details

Format string vulnerability in PunkBuster 1.180 and earlier, as used by Soldier of Fortune II and possibly other games, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in invalid cvar values, which are not properly handled when the server kicks the player and records the reason.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-0771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-02-18T21:02:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in PunkBuster 1.180 and earlier, as used by Soldier of Fortune II and possibly other games, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in invalid cvar values, which are not properly handled when the server kicks the player and records the reason.",
  "id": "GHSA-h862-m45v-wg8w",
  "modified": "2022-05-01T06:42:33Z",
  "published": "2022-05-01T06:42:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-0771"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24792"
    },
    {
      "type": "WEB",
      "url": "http://aluigi.altervista.org/adv/sof2pbfs-adv.txt"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0372.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/18917"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/448"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/425286/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/16703"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H8W3-M7VJ-Q5MC

Vulnerability from github – Published: 2022-05-01 18:36 – Updated: 2022-05-01 18:36
VLAI
Details

The format string protection mechanism in IMAPD for Perdition Mail Retrieval Proxy 1.17 and earlier allows remote attackers to execute arbitrary code via an IMAP tag with a null byte followed by a format string specifier, which is not counted by the mechanism.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-10-31T16:46:00Z",
    "severity": "HIGH"
  },
  "details": "The format string protection mechanism in IMAPD for Perdition Mail Retrieval Proxy 1.17 and earlier allows remote attackers to execute arbitrary code via an IMAP tag with a null byte followed by a format string specifier, which is not counted by the mechanism.",
  "id": "GHSA-h8w3-m7vj-q5mc",
  "modified": "2022-05-01T18:36:13Z",
  "published": "2022-05-01T18:36:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5740"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38184"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0889.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27458"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27520"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2007/dsa-1398"
    },
    {
      "type": "WEB",
      "url": "http://www.sec-consult.com/300.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/483034/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/26270"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1018883"
    },
    {
      "type": "WEB",
      "url": "http://www.vergenet.net/linux/perdition/ChangeLog.shtml"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/3677"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HCVJ-9XM8-98JM

Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:32
VLAI
Details

cPanel before 60.0.25 allows format-string injection in exception-message handling (SEC-171).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-10773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-05T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "cPanel before 60.0.25 allows format-string injection in exception-message handling (SEC-171).",
  "id": "GHSA-hcvj-9xm8-98jm",
  "modified": "2024-04-04T01:32:02Z",
  "published": "2022-05-24T16:52:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10773"
    },
    {
      "type": "WEB",
      "url": "https://documentation.cpanel.net/display/CL/60+Change+Log"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HGH9-G52Q-6M7G

Vulnerability from github – Published: 2022-08-23 00:00 – Updated: 2022-08-24 00:00
VLAI
Details

A flaw was found in the Red Hat OpenShift API Management product. User input is not validated allowing an authenticated user to inject scripts into some text boxes leading to a XSS attack. The highest threat from this vulnerability is to data confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-22T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the Red Hat OpenShift API Management product. User input is not validated allowing an authenticated user to inject scripts into some text boxes leading to a XSS attack. The highest threat from this vulnerability is to data confidentiality.",
  "id": "GHSA-hgh9-g52q-6m7g",
  "modified": "2022-08-24T00:00:29Z",
  "published": "2022-08-23T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3442"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2021:3851"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2021-3442"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930083"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHQ7-6G2P-F5H6

Vulnerability from github – Published: 2022-05-01 23:36 – Updated: 2022-05-01 23:36
VLAI
Details

Format string vulnerability in the cryactio function in Crysis 1.1.1.5879 allows remote authenticated users to execute arbitrary code via format string specifiers in the user name, which is triggered when the game character is killed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-1127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-03-03T23:44:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in the cryactio function in Crysis 1.1.1.5879 allows remote authenticated users to execute arbitrary code via format string specifiers in the user name, which is triggered when the game character is killed.",
  "id": "GHSA-hhq7-6g2p-f5h6",
  "modified": "2022-05-01T23:36:51Z",
  "published": "2022-05-01T23:36:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1127"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/5201"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29155"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28039"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/0735"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HJ2J-77XM-MC5V

Vulnerability from github – Published: 2019-04-10 14:30 – Updated: 2024-09-24 20:51
VLAI
Summary
Jinja2 sandbox escape vulnerability
Details

In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Jinja2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-10745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:40:24Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.",
  "id": "GHSA-hj2j-77xm-mc5v",
  "modified": "2024-09-24T20:51:38Z",
  "published": "2019-04-10T14:30:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10745"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1022"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1237"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1260"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3964"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:4062"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-hj2j-77xm-mc5v"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pallets/jinja"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2019-220.yaml"
    },
    {
      "type": "WEB",
      "url": "https://palletsprojects.com/blog/jinja-281-released"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4011-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4011-2"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Jinja2 sandbox escape vulnerability"
}

GHSA-HJQ2-29HF-FWVR

Vulnerability from github – Published: 2022-05-01 18:31 – Updated: 2022-05-01 18:31
VLAI
Details

Multiple format string vulnerabilities in websrv.cpp in Dawn of Time 1.69s beta4 and earlier allow remote attackers to execute arbitrary code via format string specifiers in the (1) username or (2) password fields when accessing certain "restricted zones", which are not properly handled by the (a) processWebHeader and (b) filterWebRequest functions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-10-08T21:17:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple format string vulnerabilities in websrv.cpp in Dawn of Time 1.69s beta4 and earlier allow remote attackers to execute arbitrary code via format string specifiers in the (1) username or (2) password fields when accessing certain \"restricted zones\", which are not properly handled by the (a) processWebHeader and (b) filterWebRequest functions.",
  "id": "GHSA-hjq2-29hf-fwvr",
  "modified": "2022-05-01T18:31:50Z",
  "published": "2022-05-01T18:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5265"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36973"
    },
    {
      "type": "WEB",
      "url": "http://aluigi.altervista.org/adv/dawnfs-adv.txt"
    },
    {
      "type": "WEB",
      "url": "http://forums.dawnoftime.org/viewtopic.php?t=2102"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27083"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/3201"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/481619/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/25944"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/3418"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HJVG-MWXC-784G

Vulnerability from github – Published: 2022-05-01 17:43 – Updated: 2022-05-01 17:43
VLAI
Details

Multiple format string vulnerabilities in (1) _invitedToRoom: and (2) _invitedToDirectChat: in Colloquy 2.1 and earlier allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in the channel name of an INVITE request, related to the implementation of AlertSheet and AlertPanel in Apple AppKit.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-0344"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-01-18T02:28:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple format string vulnerabilities in (1) _invitedToRoom: and (2) _invitedToDirectChat: in Colloquy 2.1 and earlier allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in the channel name of an INVITE request, related to the implementation of AlertSheet and AlertPanel in Apple AppKit.",
  "id": "GHSA-hjvg-mwxc-784g",
  "modified": "2022-05-01T17:43:18Z",
  "published": "2022-05-01T17:43:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-0344"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/3139"
    },
    {
      "type": "WEB",
      "url": "http://projects.info-pull.com/moab/MOAB-16-01-2007.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/23801"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/32688"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/22086"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/0238"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Requirements

Choose a language that is not subject to this flaw.

Mitigation
Implementation

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Mitigation
Build and Compilation

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CAPEC-135: Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

CAPEC-67: String Format Overflow in syslog()

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.