The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.
View on MITREThe developer - or customers - may wish to restrict or eliminate use of a function, library, or third party component for any number of reasons, including real or suspected vulnerabilities; difficulty to use securely; export controls or license requirements; obsolete or poorly-maintained code; internal code being scheduled for deprecation; etc. To reduce risk of vulnerabilities, the developer might maintain a list of "banned" functions that programmers must avoid using because the functions are difficult or impossible to use securely. This issue can also make the product more costly and difficult to maintain.
No mitigation information available for this CWE.
No detection method information available for this CWE.
The code below calls the gets() function to read in data from the command line.
However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.
char buf[24];printf("Please enter your name and press <Enter>\n");gets(buf);...}The following code attempts to create a local copy of a buffer to perform some manipulations to the data.
However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter.
void manipulate_string(char * string){char buf[24];strcpy(buf, string);...}FTP client uses inherently insecure gets() function and is setuid root on some systems, allowing buffer overflow
View DetailsCWE-1177: Use of Prohibited Code is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer. The developer - or customers - may wish to restrict or eliminate use of a function, library, or third party component for any number of reasons, including real or suspected vulnerabilities; difficulty to use securely; export controls or license requirements; obsolete or poorly-maintained code; internal code being scheduled for deprecation; etc. To reduce risk of vulnerabilities, the developer might maintain a list of "banned" functions that programmers must avoid using because the functions are difficult or impossible to use securely. This issue can also make the product more costly and difficult to maintain.
If exploited, CWE-1177 (Use of Prohibited Code) it can compromise Other, leading to outcomes such as Reduce Maintainability.
CWE-1177 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-1177, including CVE-2007-1470 and CVE-2007-4004. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-1177 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.