This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.
There are at least two subtypes of OS command injection:
From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.
| Impact | Details |
|---|---|
|
Execute Unauthorized Code or Commands; DoS: Crash, Exit, or Restart; Read Files or Directories; Modify Files or Directories; Read Application Data; Modify Application Data; Hide Activities |
Scope: Confidentiality, Integrity, Availability, Non-Repudiation
Attackers could execute unauthorized operating system commands, which could then be used to disable the product, or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner.
|
| Phase(s) | Mitigation |
|---|---|
|
Architecture and Design |
If at all possible, use library calls rather than external processes to recreate the desired functionality.
|
|
Architecture and Design; Operation |
Strategy: Sandbox or Jail Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails. Effectiveness: Limited Note:
The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.
|
|
Architecture and Design |
Strategy: Attack Surface Reduction For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.
|
|
Architecture and Design |
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
|
|
Architecture and Design |
Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. |
|
Implementation |
Strategy: Output Encoding While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
|
|
Implementation |
If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line.
|
|
Architecture and Design |
Strategy: Parameterization If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments. |
|
Implementation |
Strategy: Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When constructing OS command strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like ";" and ">" characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components. Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. |
|
Architecture and Design |
Strategy: Enforcement by Conversion When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
|
|
Operation |
Strategy: Compilation or Build Hardening Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
|
|
Operation |
Strategy: Environment Hardening Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
|
|
Implementation |
Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not. In the context of OS Command Injection, error information passed back to the user might reveal whether an OS command is being executed and possibly which command is being used. |
|
Operation |
Strategy: Sandbox or Jail Use runtime policy enforcement to create an allowlist of allowable commands, then prevent use of any command that does not appear in the allowlist. Technologies such as AppArmor are available to do this.
|
|
Operation |
Strategy: Firewall Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Effectiveness: Moderate Note:
An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.
|
|
Architecture and Design; Operation |
Strategy: Environment Hardening Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
|
|
Operation; Implementation |
Strategy: Environment Hardening When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
|
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CanAlsoBe | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
| CanFollow | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 184 | Incomplete List of Disallowed Inputs |
| Nature | Type | ID | Name |
|---|---|---|---|
| MemberOf | Category Category - a CWE entry that contains a set of other entries that share a common characteristic. | 137 | Data Neutralization Issues |
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| Nature | Type | ID | Name |
|---|---|---|---|
| MemberOf | Category Category - a CWE entry that contains a set of other entries that share a common characteristic. | 1019 | Validate Inputs |
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| Phase | Note |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
Class: Not Language-Specific (Undetermined Prevalence)
AI/ML (Undetermined Prevalence)
Example 1
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:
Which would result in $command being:
Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.
Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.
Example 2
The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.
Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition.
Note that if argv[1] is a very long argument, then this issue might also be subject to a buffer overflow (CWE-120).
Example 3
This example is a web application that intends to perform a DNS lookup of a user-supplied domain name. It is subject to the first variant of OS command injection.
Suppose an attacker provides a domain name like this:
The "%3B" sequence decodes to the ";" character, and the %20 decodes to a space. The open() statement would then process a string like this:
As a result, the attacker executes the "/bin/ls -l" command and gets a list of all the files in the program's working directory. The input could be replaced with much more dangerous commands, such as installing a malicious program on the server.
Example 4
The example below reads the name of a shell script to execute from the system properties. It is subject to the second variant of OS command injection.
If an attacker has control over this property, then they could modify the property to point to a dangerous program.
Example 5
In the example below, a method is used to transform geographic coordinates from latitude and longitude format to UTM format. The method gets the input coordinates from a user through a HTTP request and executes a program local to the application server that performs the transformation. The method passes the latitude and longitude coordinates as a command-line option to the external program and will perform some processing to retrieve the results of the transformation and return the resulting UTM coordinates.
However, the method does not verify that the contents of the coordinates input parameter includes only correctly-formatted latitude and longitude coordinates. If the input coordinates were not validated prior to the call to this method, a malicious user could execute another program local to the application server by appending '&' followed by the command for another program to the end of the coordinate string. The '&' instructs the Windows operating system to execute another program.
Example 6
The following code is from an administrative web application designed to allow users to kick off a backup of an Oracle database using a batch-file wrapper around the rman utility and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat accepts a single command line parameter, which specifies what type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
The problem here is that the program does not do any validation on the backuptype parameter read from the user. Typically the Runtime.exec() function will not execute multiple commands, but in this case the program first runs the cmd.exe shell in order to run multiple commands with a single call to Runtime.exec(). Once the shell is invoked, it will happily execute multiple commands separated by two ampersands. If an attacker passes a string of the form "& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.
Example 7
The following code is a wrapper around the UNIX command cat which prints the contents of a file to standard out. It is also injectable:
Used normally, the output is simply the contents of the file requested, such as Story.txt:
However, if the provided argument includes a semicolon and another command, such as:
Then the "ls" command is executed by catWrapper with no complaint:
Two commands would then be executed: catWrapper, then ls. The result might look like:
If catWrapper had been set to have a higher privilege level than the standard user, arbitrary commands could be executed with that higher privilege.
Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.
| Reference | Description |
|---|---|
|
Platform for handling LLMs has OS command injection during training due to insecure use of the "Popen" function
|
|
|
OS command injection in Wi-Fi router, as exploited in the wild per CISA KEV.
|
|
|
Template functionality in network configuration management tool allows OS command injection, as exploited in the wild per CISA KEV.
|
|
|
Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.
|
|
|
Web server allows command execution using "|" (pipe) character.
|
|
|
FTP client does not filter "|" from filenames returned by the server, allowing for OS command injection.
|
|
|
Shell metacharacters in a filename in a ZIP archive
|
|
|
Shell metacharacters in a telnet:// link are not properly handled when the launching application processes the link.
|
|
|
OS command injection through environment variable.
|
|
|
OS command injection through https:// URLs
|
|
|
Chain: incomplete denylist for OS command injection
|
|
|
Product allows remote users to execute arbitrary commands by creating a file whose pathname contains shell metacharacters.
|
| Method | Details |
|---|---|
|
Automated Static Analysis |
This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes. Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke OS commands, leading to false negatives - especially if the API/library code is not available for analysis. |
|
Automated Dynamic Analysis |
This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Effectiveness: Moderate |
|
Manual Static Analysis |
Since this weakness does not typically appear frequently within a single software package, manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all potentially-vulnerable operations can be assessed within limited time constraints.
Effectiveness: High |
|
Automated Static Analysis - Binary or Bytecode |
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective:
Effectiveness: High |
|
Dynamic Analysis with Automated Results Interpretation |
According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage:
Effectiveness: SOAR Partial |
|
Dynamic Analysis with Manual Results Interpretation |
According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage:
Effectiveness: SOAR Partial |
|
Manual Static Analysis - Source Code |
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective:
Cost effective for partial coverage:
Effectiveness: High |
|
Automated Static Analysis - Source Code |
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective:
Effectiveness: High |
|
Architecture or Design Review |
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective:
Cost effective for partial coverage:
Effectiveness: High |
| Nature | Type | ID | Name |
|---|---|---|---|
| MemberOf | ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 635 | Weaknesses Originally Used by NVD from 2008 to 2016 |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 714 | OWASP Top Ten 2007 Category A3 - Malicious File Execution |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 727 | OWASP Top Ten 2004 Category A6 - Injection Flaws |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 741 | CERT C Secure Coding Standard (2008) Chapter 8 - Characters and Strings (STR) |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 744 | CERT C Secure Coding Standard (2008) Chapter 11 - Environment (ENV) |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 751 | 2009 Top 25 - Insecure Interaction Between Components |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 801 | 2010 Top 25 - Insecure Interaction Between Components |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 810 | OWASP Top Ten 2010 Category A1 - Injection |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 845 | The CERT Oracle Secure Coding Standard for Java (2011) Chapter 2 - Input Validation and Data Sanitization (IDS) |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 864 | 2011 Top 25 - Insecure Interaction Between Components |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 875 | CERT C++ Secure Coding Section 07 - Characters and Strings (STR) |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 878 | CERT C++ Secure Coding Section 10 - Environment (ENV) |
| MemberOf | ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 884 | CWE Cross-section |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 929 | OWASP Top Ten 2013 Category A1 - Injection |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 990 | SFP Secondary Cluster: Tainted Input to Command |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1027 | OWASP Top Ten 2017 Category A1 - Injection |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1131 | CISQ Quality Measures (2016) - Security |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1134 | SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS) |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1165 | SEI CERT C Coding Standard - Guidelines 10. Environment (ENV) |
| MemberOf | ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 1200 | Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors |
| MemberOf | ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 1337 | Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1347 | OWASP Top Ten 2021 Category A03:2021 - Injection |
| MemberOf | ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 1350 | Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses |
| MemberOf | ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 1387 | Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1409 | Comprehensive Categorization: Injection |
| MemberOf | ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 1425 | Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses |
| MemberOf | ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 1430 | Weaknesses in the 2024 CWE Top 25 Most Dangerous Software Weaknesses |
Rationale
This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comments
Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.Terminology
Research Gap
| Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | OS Command Injection | ||
| OWASP Top Ten 2007 | A3 | CWE More Specific | Malicious File Execution |
| OWASP Top Ten 2004 | A6 | CWE More Specific | Injection Flaws |
| CERT C Secure Coding | ENV03-C | Sanitize the environment when invoking external programs | |
| CERT C Secure Coding | ENV33-C | CWE More Specific | Do not call system() |
| CERT C Secure Coding | STR02-C | Sanitize data passed to complex subsystems | |
| WASC | 31 | OS Commanding | |
| The CERT Oracle Secure Coding Standard for Java (2011) | IDS07-J | Do not pass untrusted, unsanitized data to the Runtime.exec() method | |
| Software Fault Patterns | SFP24 | Tainted input to command | |
| OMG ASCSM | ASCSM-CWE-78 |
| Submissions | |||
|---|---|---|---|
| Submission Date | Submitter | Organization | |
|
2006年07月19日
(CWE Draft 3, 2006年07月19日) |
PLOVER | ||
| Contributions | |||
| Contribution Date | Contributor | Organization | |
|
2024年02月29日
(CWE 4.15, 2024年07月16日) |
Abhi Balakrishnan | ||
| Provided diagram to improve CWE usability | |||
| Modifications | |||
| Modification Date | Modifier | Organization | |
|
2025年09月09日
(CWE 4.18, 2025年09月09日) |
CWE Content Team | MITRE | |
| updated Applicable_Platforms, Detection_Factors, Observed_Examples, Potential_Mitigations, References | |||
|
2024年11月19日
(CWE 4.16, 2024年11月19日) |
CWE Content Team | MITRE | |
| updated Relationships | |||
|
2024年07月16日
(CWE 4.15, 2024年07月16日) |
CWE Content Team | MITRE | |
| updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Diagram, References | |||
| 2023年06月29日 | CWE Content Team | MITRE | |
| updated Mapping_Notes, Relationships | |||
| 2023年04月27日 | CWE Content Team | MITRE | |
| updated Detection_Factors, References, Relationships, Time_of_Introduction | |||
| 2023年01月31日 | CWE Content Team | MITRE | |
| updated Common_Consequences, Description | |||
| 2022年10月13日 | CWE Content Team | MITRE | |
| updated References | |||
| 2022年06月28日 | CWE Content Team | MITRE | |
| updated Observed_Examples, Relationships | |||
| 2022年04月28日 | CWE Content Team | MITRE | |
| updated Demonstrative_Examples | |||
| 2021年10月28日 | CWE Content Team | MITRE | |
| updated Relationships | |||
| 2021年07月20日 | CWE Content Team | MITRE | |
| updated Observed_Examples, Relationships | |||
| 2020年12月10日 | CWE Content Team | MITRE | |
| updated Potential_Mitigations, Relationships | |||
| 2020年08月20日 | CWE Content Team | MITRE | |
| updated Relationships | |||
| 2020年06月25日 | CWE Content Team | MITRE | |
| updated Observed_Examples, Potential_Mitigations | |||
| 2020年02月24日 | CWE Content Team | MITRE | |
| updated Potential_Mitigations, Relationships | |||
| 2019年09月19日 | CWE Content Team | MITRE | |
| updated Relationships | |||
| 2019年06月20日 | CWE Content Team | MITRE | |
| updated Relationships | |||
| 2019年01月03日 | CWE Content Team | MITRE | |
| updated References, Relationships, Taxonomy_Mappings | |||
| 2018年03月27日 | CWE Content Team | MITRE | |
| updated Relationships | |||
| 2017年11月08日 | CWE Content Team | MITRE | |
| updated Modes_of_Introduction, References, Relationships, Taxonomy_Mappings, White_Box_Definitions | |||
| 2015年12月07日 | CWE Content Team | MITRE | |
| updated Relationships | |||
| 2014年07月30日 | CWE Content Team | MITRE | |
| updated Detection_Factors, Relationships, Taxonomy_Mappings | |||
| 2014年06月23日 | CWE Content Team | MITRE | |
| updated Relationships | |||
| 2014年02月18日 | CWE Content Team | MITRE | |
| updated Applicable_Platforms, Demonstrative_Examples, Terminology_Notes | |||
| 2012年10月30日 | CWE Content Team | MITRE | |
| updated Observed_Examples, Potential_Mitigations | |||
| 2012年05月11日 | CWE Content Team | MITRE | |
| updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings | |||
| 2011年09月13日 | CWE Content Team | MITRE | |
| updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings | |||
| 2011年06月27日 | CWE Content Team | MITRE | |
| updated Relationships | |||
| 2011年06月01日 | CWE Content Team | MITRE | |
| updated Common_Consequences, Relationships, Taxonomy_Mappings | |||
| 2011年03月29日 | CWE Content Team | MITRE | |
| updated Demonstrative_Examples, Description | |||
| 2010年12月13日 | CWE Content Team | MITRE | |
| updated Description, Potential_Mitigations | |||
| 2010年09月27日 | CWE Content Team | MITRE | |
| updated Potential_Mitigations | |||
| 2010年06月21日 | CWE Content Team | MITRE | |
| updated Common_Consequences, Description, Detection_Factors, Name, Observed_Examples, Potential_Mitigations, References, Relationships | |||
| 2010年04月05日 | CWE Content Team | MITRE | |
| updated Potential_Mitigations | |||
| 2010年02月16日 | CWE Content Team | MITRE | |
| updated Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings | |||
| 2009年12月28日 | CWE Content Team | MITRE | |
| updated Detection_Factors | |||
| 2009年10月29日 | CWE Content Team | MITRE | |
| updated Observed_Examples, References | |||
| 2009年07月27日 | CWE Content Team | MITRE | |
| updated Description, Name, White_Box_Definitions | |||
| 2009年07月17日 | KDM Analytics | ||
| Improved the White_Box_Definition | |||
| 2009年05月27日 | CWE Content Team | MITRE | |
| updated Name, Related_Attack_Patterns | |||
| 2009年03月10日 | CWE Content Team | MITRE | |
| updated Potential_Mitigations | |||
| 2009年01月12日 | CWE Content Team | MITRE | |
| updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Terminology_Notes | |||
| 2008年11月24日 | CWE Content Team | MITRE | |
| updated Observed_Examples, Relationships, Taxonomy_Mappings | |||
| 2008年10月14日 | CWE Content Team | MITRE | |
| updated Description | |||
| 2008年09月08日 | CWE Content Team | MITRE | |
| updated Relationships, Other_Notes, Taxonomy_Mappings | |||
| 2008年08月15日 | Veracode | ||
| Suggested OWASP Top Ten 2004 mapping | |||
| 2008年08月01日 | KDM Analytics | ||
| added/updated white box definitions | |||
| 2008年07月01日 | Eric Dalci | Cigital | |
| updated Time_of_Introduction | |||
| 2008年07月01日 | Sean Eidemiller | Cigital | |
| added/updated demonstrative examples | |||
| Previous Entry Names | |||
| Change Date | Previous Entry Name | ||
| 2008年04月11日 | OS Command Injection | ||
| 2009年01月12日 | Failure to Sanitize Data into an OS Command (aka 'OS Command Injection') | ||
| 2009年05月27日 | Failure to Preserve OS Command Structure (aka 'OS Command Injection') | ||
| 2009年07月27日 | Failure to Preserve OS Command Structure ('OS Command Injection') | ||
| 2010年06月21日 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') | ||
Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.
