CWE-242: Use of Inherently Dangerous Function

BaseDraftExploit Likelihood: High

The product calls a function that can never be guaranteed to work safely.

View on MITRE
Back to CWE Lookup

Extended Description

Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.

Technical Details

Structure
Simple

Applicable To

Languages
CC++
Platforms

Learn More

Find Related CVEs

Search for vulnerabilities that exploit CWE-242

CVE vs CWE: What's the Difference?

Understanding vulnerabilities vs weaknesses

Understanding CVSS Scoring

How vulnerability severity is measured

View Full MITRE Entry

Complete technical details and references