Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-913 (动态管理代码资源的控制不恰当) — Vulnerability Class 47

47 vulnerabilities classified as CWE-913 (动态管理代码资源的控制不恰当). AI Chinese analysis included.

CWE-913 represents a critical weakness where software fails to properly restrict access to dynamically-managed code resources, including variables, objects, classes, and executable instructions. This vulnerability typically arises in languages supporting dynamic code generation or modification, such as JavaScript or Python, where attackers exploit insufficient validation to inject malicious scripts or alter runtime behavior. By manipulating these dynamic elements, adversaries can achieve remote code execution, data injection, or privilege escalation, bypassing standard security controls. To mitigate this risk, developers must enforce strict input validation and sanitization on all dynamic inputs. Implementing robust access controls, utilizing secure coding frameworks that limit dynamic execution capabilities, and adopting a principle of least privilege for runtime environments are essential strategies. Regular security audits and static analysis tools further help identify and remediate these dangerous dynamic resource interactions before deployment.

MITRE CWE Description
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.
Common Consequences (2)
IntegrityExecute Unauthorized Code or Commands
Other, IntegrityVaries by Context, Alter Execution Logic
Mitigations (2)
ImplementationFor any externally-influenced input, check the input against an allowlist of acceptable values.
Implementation, Architecture and DesignRefactor the code so that it does not need to be dynamically managed.
Examples (2)
This example attempts to write user messages to a message file and allow users to view them.
$MessageFile = "messages.out"; if ($_GET["action"] == "NewMessage") { $name = $_GET["name"]; $message = $_GET["message"]; $handle = fopen($MessageFile, "a+"); fwrite($handle, "<b>$name</b> says '$message'<hr>\n"); fclose($handle); echo "Message Saved!<p>\n"; } else if ($_GET["action"] == "ViewMessages") { include($MessageFile); }
Bad · PHP
name=h4x0r message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E
Attack
A common reason that programmers use the reflection API is to implement their own command dispatcher. The following example shows a command dispatcher that does not use reflection:
String ctl = request.getParameter("ctl"); Worker ao = null; if (ctl.equals("Add")) { ao = new AddCommand(); } else if (ctl.equals("Modify")) { ao = new ModifyCommand(); } else { throw new UnknownActionError(); } ao.doAction(request);
Good · Java
String ctl = request.getParameter("ctl"); Class cmdClass = Class.forName(ctl + "Command"); Worker ao = (Worker) cmdClass.newInstance(); ao.doAction(request);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-40634 Improper Control of Dynamically-Managed Code Resources in Crafter Studio — Crafter CMS 6.4 Medium2022-09-13
CVE-2022-36067 vm2 vulnerable to Sandbox Escape before v3.9.11 — vm2 10.0 Critical2022-09-06
CVE-2022-39051 Perl Code execution in Template Toolkit — OTRS 6.8 Medium2022-09-05
CVE-2021-23267 Improper Control of Dynamically-Managed Code Resources in Crafter Studio — Crafter CMS 7.6 High2022-05-16
CVE-2021-42809 The Sentinel Protection Installer 7.7.0 does not properly restrict loading Dynamic Link Library — Sentinel Protection Installer 6.5 Medium2021-12-20
CVE-2021-23262 Snakeyaml deserialization vulnerability bypass — Crafter CMS 4.2 Medium2021-12-02
CVE-2021-23259 Groovy Sandbox Bypass — Crafter CMS 4.2 Medium2021-12-02
CVE-2021-23258 Spring SPEL Expression Language Injection — Crafter CMS 4.2 Medium2021-12-02
CVE-2021-32813 Drop Headers via Malicious Connection Header — traefik 4.8 Medium2021-08-03
CVE-2021-21413 Misuse of `Reference` and other transferable APIs may lead to access to nodejs isolate — isolated-vm 8.0 High2021-03-30
CVE-2020-3419 Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability — Cisco WebEx Meetings Server 6.5 Medium2020-11-18
CVE-2020-25803 Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via deep inspection of FreeMarker template exposed objects. — Crafter CMS 4.2 Medium2020-10-06
CVE-2020-25802 Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via Groovy scripting. — Crafter CMS 4.2 Medium2020-10-06
CVE-2019-1617 Cisco Nexus 9000 Series Switches Standalone NX-OS Mode Fibre Channel over Ethernet NPV Denial of Service Vulnerability — Nexus 9000 Series Switches in Standalone NX-OS Mode 7.4 -2019-03-11
CVE-2019-1595 Cisco Nexus 5600 and 6000 Series Switches Fibre Channel over Ethernet Denial of Service Vulnerability — Cisco NX-OS Software 6.5 -2019-03-06
CVE-2017-3202 The implementation of Action Message Format (AMF3) deserializers in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes due to improper code control — Flamingo amf-serializer 9.8 -2018-06-11
CVE-2017-3200 The implementation of Action Message Format (AMF3) deserializers in GraniteDS, version 3.1.1.GA, may allow instantiation of arbitrary classes due to improper code control — Framework 8.1 -2018-06-11

Vulnerabilities classified as CWE-913 (动态管理代码资源的控制不恰当) represent 47 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.