Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-114 (流程控制) — Vulnerability Class 22

22 vulnerabilities classified as CWE-114 (流程控制). AI Chinese analysis included.

CWE-114 represents a critical process control weakness where applications execute commands or load libraries from untrusted sources or environments. Attackers typically exploit this vulnerability by manipulating input to alter the specific command a program executes or by injecting malicious code into the execution environment. This allows adversaries to run arbitrary payloads with the privileges of the affected application, potentially leading to full system compromise. To mitigate these risks, developers must rigorously validate and sanitize all inputs before passing them to system calls. Implementing strict allowlists for permitted commands and libraries, rather than relying on blocklists, ensures that only authorized operations proceed. Additionally, isolating application processes and minimizing environmental variables can significantly reduce the attack surface, preventing unauthorized control over the execution flow and safeguarding system integrity against malicious interference.

MITRE CWE Description
Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker. Process control vulnerabilities take two forms: An attacker can change the command that the program executes: the attacker explicitly controls what the command is. An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
Mitigations (1)
Architecture and DesignLibraries that are loaded should be well understood and come from a trusted source. The application can execute code contained in the native libraries, which often contain calls that are susceptible to other security problems, such as buffer overflows or command injection. All native libraries should be validated to determine if the application requires the use of the library. It is very difficult…
Examples (2)
The following code uses System.loadLibrary() to load code from a native library named library.dll, which is normally found in a standard system directory.
... System.loadLibrary("library.dll"); ...
Bad · Java
The following code from a privileged application uses a registry entry to determine the directory in which it is installed and loads a library file based on a relative path from the specified directory.
... RegQueryValueEx(hkey, "APPHOME", 0, 0, (BYTE*)home, &size); char* lib=(char*)malloc(strlen(home)+strlen(INITLIB)); if (lib) { strcpy(lib,home); strcat(lib,INITCMD); LoadLibrary(lib); } ...
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-26945 Dell Integrated Dell Remote Access Controller 安全漏洞 — Integrated Dell Remote Access Controller 5.3 Medium2026-03-18
CVE-2026-29046 TinyWeb: HTTP Header Control Character Injection into CGI Environment — TinyWeb 7.5 -2026-03-06
CVE-2025-36250 AIX Code Execution — AIX 10.0 Critical2025-11-13
CVE-2025-36251 AIX Command Execution — AIX 9.6 Critical2025-11-13
CVE-2025-46370 Dell Alienware Command Center 安全漏洞 — Alienware Command Center 6.x (AWCC) 3.3 Low2025-11-13
CVE-2025-1950 IBM Hardware Management Console - Power Systems command execution — Hardware Management Console - Power Systems 9.3 Critical2025-04-22
CVE-2024-56347 IBM AIX command execution — AIX 9.6 Critical2025-03-18
CVE-2024-56346 IBM AIX command execution — AIX 10.0 Critical2025-03-18
CVE-2025-0160 IBM FlashSystem code execution — Storage Virtualize 8.1 High2025-02-28
CVE-2025-23385 JetBrains多款产品 安全漏洞 — ReSharper 7.8 High2025-01-28
CVE-2024-8207 MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths — MongoDB Server 6.4 Medium2024-08-27
CVE-2024-32004 Git vulnerable to Remote Code Execution while cloning special-crafted local repositories — git 8.2 High2024-05-14
CVE-2023-4487 GE Digital CIMPLICITY Process Control — CIMPLICITY 7.8 High2023-09-05
CVE-2022-23748 Zoom Rooms 代码问题漏洞 — Audinate Dante Application Library for Windows 7.8 -2022-11-17
CVE-2020-8107 Process Control vulnerability in Bitdefender Antivirus Plus — Antivirus Plus 8.2 High2022-02-18
CVE-2020-6024 Check Point Smartconsole 安全漏洞 — Check Point SmartConsole 7.8 -2021-01-20
CVE-2020-6014 Check Point Endpoint Security Client 代码问题漏洞 — Check Point Endpoint Security Client for Windows 6.0 -2020-10-30
CVE-2020-11081 osquery susceptible to DLL search order hijacking of zlib1.dll — osquery 5.3 Medium2020-07-10
CVE-2020-11075 Shell Escape in Anchore Engine — anchore-engine 7.7 High2020-05-27
CVE-2019-8461 Check Point Endpoint Security Initial Client for Windows 代码问题漏洞 — Check Point Endpoint Security Initial Client for Windows 7.8 -2019-08-29
CVE-2019-8458 Check Point Endpoint Security Client 输入验证错误漏洞 — Check Point Endpoint Security Client for Windows, Anti-Malware blade 5.7 -2019-06-20
CVE-2019-8453 Check Point ZoneAlarm 代码问题漏洞 — Check Point ZoneAlarm 7.1 -2019-04-17

Vulnerabilities classified as CWE-114 (流程控制) represent 22 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.