Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-242 (使用内在危险函数) — Vulnerability Class 9

9 vulnerabilities classified as CWE-242 (使用内在危险函数). AI Chinese analysis included.

CWE-242 represents a critical design flaw where software invokes functions inherently incapable of safe execution, regardless of implementation context. These dangerous functions, often legacy constructs like gets(), lack essential security mechanisms such as bounds checking, making them vulnerable to buffer overflows. Attackers typically exploit this weakness by supplying arbitrarily sized input that exceeds the allocated memory buffer, allowing them to overwrite adjacent memory structures. This manipulation can lead to arbitrary code execution, denial of service, or data corruption. To mitigate this risk, developers must strictly avoid using such deprecated functions entirely. Instead, they should adopt modern, secure alternatives that enforce rigorous input validation and memory management, ensuring that all data operations remain within defined boundaries and preventing the exploitation of inherent functional deficiencies.

MITRE CWE Description
The product calls a function that can never be guaranteed to work safely. Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.
Common Consequences (1)
OtherVaries by Context
Mitigations (2)
Build and Compilation, ImplementationIdentify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instructed to spot use of prohibited functions, such as the "banned.h" include file from Microsoft's SDL. [REF-554] [REF-1009] [REF-7]
TestingUse grep or static analysis tools to spot usage of dangerous functions.
Examples (2)
The code below calls gets() to read information into a buffer.
char buf[BUFSIZE]; gets(buf);
Bad · C
The code below calls the gets() function to read in data from the command line.
char buf[24]; printf("Please enter your name and press <Enter>\n"); gets(buf); ... }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2025-1994 IBM Cognos Command Center code execution — Cognos Command Center 7.8 High2025-08-26
CVE-2025-49215 Trend Micro Endpoint Encryption PolicyServer 安全漏洞 — Trend Micro Endpoint Encryption Policy Server 8.8 High2025-06-17
CVE-2025-1331 IBM CICS TX code execution — CICS TX Standard 7.8 High2025-05-08
CVE-2024-52324 Ruijie Reyee OS Use of Inherently Dangerous Function — Reyee OS 9.8 Critical2024-12-06
CVE-2021-40698 ColdFusion Use of Inherently Dangerous Function Leads To Security feature bypass   — ColdFusion 7.4 High2023-09-07
CVE-2022-36310 Airspan AirVelocity 1500 安全漏洞 — AirVelocity 8.8 -2022-08-16
CVE-2021-42543 AzeoTech DAQFactory — DAQFactory 7.8 High2021-11-05
CVE-2017-1002157 modulemd 输入验证错误漏洞 — modulemd 9.8 -2019-01-10
CVE-2017-0904 private_address_check ruby gem 安全漏洞 — private_address_check ruby gem 8.1 -2017-11-13

Vulnerabilities classified as CWE-242 (使用内在危险函数) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.