Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)) — Vulnerability Class 1185

1185 vulnerabilities classified as CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)). AI Chinese analysis included.

CWE-77 represents a critical input validation weakness where software constructs commands using untrusted data without properly sanitizing special characters. Attackers typically exploit this by injecting malicious payloads, such as semicolons or pipe operators, into user-supplied fields to alter the intended command structure. This allows them to execute arbitrary system commands, potentially leading to full system compromise, data exfiltration, or denial of service. To prevent such vulnerabilities, developers must strictly validate and sanitize all external inputs, ensuring that only expected data formats are processed. Utilizing parameterized APIs or safe command execution libraries instead of direct string concatenation significantly reduces risk. Additionally, implementing the principle of least privilege for application processes limits the potential impact of successful injection attempts, thereby enhancing overall system security against command injection attacks.

MITRE CWE Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.
Common Consequences (1)
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
If a malicious user injects a character (such as a semi-colon) that delimits the end of one command and the beginning of another, it may be possible to then insert an entirely new and unrelated command that was not intended to be executed. This gives an attacker a privilege or capability that they w…
Mitigations (5)
Architecture and DesignIf at all possible, use library calls rather than external processes to recreate the desired functionality.
ImplementationIf possible, ensure that all external commands called from the program are statically created.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
OperationRun time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.
System ConfigurationAssign permissions that prevent the user from accessing/opening privileged files.
Examples (2)
Consider a "CWE Differentiator" application that uses an an LLM generative AI based "chatbot" to explain the difference between two weaknesses. As input, it accepts two CWE IDs, constructs a prompt string, sends the prompt to the chatbot, and prints the results. The prompt string effectively acts as a command to the chatbot component. Assume that invokeChatbot() calls the chatbot and returns the …
prompt = "Explain the difference between {} and {}".format(arg1, arg2) result = invokeChatbot(prompt) resultHTML = encodeForHTML(result) print resultHTML
Bad · Python
Explain the difference between CWE-77 and CWE-78
Informative
Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed.
my $arg = GetArgument("filename"); do_listing($arg); sub do_listing { my($fname) = @_; if (! validate_name($fname)) { print "Error: name is not well-formed!\n"; return; } # build command my $cmd = "/bin/ls -l $fname"; system($cmd); } sub validate_name { my($name) = @_; if ($name =~ /^[\w\-]+$/) { return(1); } else { return(0); } }
Bad · Perl
if ($name =~ /^\w[\w\-]+$/) ...
Good · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2024-8127 D-Link DNS-1550-04 HTTP POST Request webfile_mgr.cgi cgi_unzip command injection — DNS-120 6.3 Medium2024-08-24
CVE-2024-7110 Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab — GitLab 6.4 Medium2024-08-22
CVE-2024-7922 D-Link DNS-1550-04 myMusic.cgi cgi_write_playlist command injection — DNS-120 6.3 Medium2024-08-19
CVE-2024-7907 TOTOLINK X6000R cstecgi.cgi setSyslogCfg command injection — X6000R 6.3 Medium2024-08-18
CVE-2024-7897 Tosei Online Store Management System ネット店舗管理システム tosei_kikai.php command injection — Online Store Management System ネット店舗管理システム 6.3 Medium2024-08-17
CVE-2024-7896 Tosei Online Store Management System ネット店舗管理システム p1_ftpserver.php command injection — Online Store Management System ネット店舗管理システム 6.3 Medium2024-08-17
CVE-2024-7833 D-Link DI-8100 upgrade_filter.asp upgrade_filter_asp command injection — DI-8100 6.3 Medium2024-08-15
CVE-2024-42360 Command Injection in sequenceserver — sequenceserver 9.8 Critical2024-08-14
CVE-2024-5914 Cortex XSOAR: Command Injection in CommonScripts Pack — Cortex XSOAR CommonScripts 9.8AICriticalAI2024-08-14
CVE-2024-7715 D-Link DNS-1550-04 photocenter_mgr.cgi sprintf command injection — DNS-120 6.3 Medium2024-08-13
CVE-2024-7700 Foreman: command injection in "host init config" template via "install packages" field on foreman 6.5 Medium2024-08-12
CVE-2024-21879 URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway v4.x to v8.x and < v8.2.4225 — Envoy 8.8AIHighAI2024-08-10
CVE-2024-21878 Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x — Envoy 8.8AIHighAI2024-08-10
CVE-2024-21880 URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x <= 7.x — Envoy 8.8AIHighAI2024-08-10
CVE-2024-22122 AT(GSM) Command Injection — Zabbix 3.0 Low2024-08-09
CVE-2024-7616 Edimax IC-6220DC/IC-5150W ipcam_cgi cgiFormString command injection — IC-6220DC 5.5 Medium2024-08-08
CVE-2024-37023 Vonets WiFi Bridges Command Injection — VAR1200-H 9.1 Critical2024-08-08
CVE-2024-7397 Unauthenticated Command Injection — JetPort 5601v3 9.8AICriticalAI2024-08-05
CVE-2024-7464 TOTOLINK CP900 Telnet Service setTelnetCfg command injection — CP900 6.3 Medium2024-08-05
CVE-2024-7443 Vivotek IB8367A upload_file.cgi getenv command injection — IB8367A 6.3 Medium2024-08-03
CVE-2024-7442 Vivotek SD9364 upload_file.cgi getenv command injection — SD9364 6.3 Medium2024-08-03
CVE-2024-7440 Vivotek CC8160 upload_file.cgi getenv command injection — CC8160 6.3 Medium2024-08-03
CVE-2024-7436 D-Link DI-8100 msp_info.htm msp_info_htm command injection — DI-8100 6.3 Medium2024-08-03
CVE-2024-42348 FOG leaks sensitive information (AD domain, username and password) — fogproject 9.3 Critical2024-08-02
CVE-2024-7029 Command Injection in AVTech AVM1203 (IP Camera) — AVM1203 (IP Camera) 8.8 High2024-08-02
CVE-2024-7215 TOTOLINK LR1200 cstecgi.cgi NTPSyncWithHost command injection — LR1200 6.3 Medium2024-07-30
CVE-2024-7214 TOTOLINK LR350 cstecgi.cgi setWanCfg command injection — LR350 6.3 Medium2024-07-30
CVE-2024-7181 TOTOLINK A3600R cstecgi.cgi setTelnetCfg command injection — A3600R 6.3 Medium2024-07-29
CVE-2024-7160 TOTOLINK A3700R cstecgi.cgi setWanCfg command injection — A3700R 6.3 Medium2024-07-28
CVE-2024-7158 TOTOLINK A3100R HTTP POST Request cstecgi.cgi setTelnetCfg command injection — A3100R 6.3 Medium2024-07-28

Vulnerabilities classified as CWE-77 (在命令中使用的特殊元素转义处理不恰当(命令注入)) represent 1185 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.