CWE-695: Use of Low-Level Functionality
The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.
View on MITREExtended Description
The use of low-level functionality can violate the specification in unexpected ways that effectively disable built-in protection mechanisms, introduce exploitable inconsistencies, or otherwise expose the functionality to attack.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
The following code defines a class named Echo. The class declares one native method (defined below), which uses C to echo commands entered on the console back to the user. The following C code defines the native method implemented in the Echo class:
Because the example is implemented in Java, it may appear that it is immune to memory issues like buffer overflow vulnerabilities. Although Java does do a good job of making memory operations safe, this protection does not extend to vulnerabilities occurring in source code written in other languages that are accessed using the Java Native Interface. Despite the memory protections offered in Java, the C code in this example is vulnerable to a buffer overflow because it makes use of gets(), which does not check the length of its input.
The following code defines a class named Echo. The class declares one native method (defined below), which uses C to echo commands entered on the console back to the user. The following C code defines the native method implemented in the Echo class:
Because the example is implemented in Java, it may appear that it is immune to memory issues like buffer overflow vulnerabilities. Although Java does do a good job of making memory operations safe, this protection does not extend to vulnerabilities occurring in source code written in other languages that are accessed using the Java Native Interface. Despite the memory protections offered in Java, the C code in this example is vulnerable to a buffer overflow because it makes use of gets(), which does not check the length of its input.
The following example opens a socket to connect to a remote server.
A Socket object is created directly within the Java servlet, which is a dangerous way to manage remote connections.
CWE Relationships
Frequently Asked Questions
What is CWE-695: Use of Low-Level Functionality?+
CWE-695: Use of Low-Level Functionality is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate. The use of low-level functionality can violate the specification in unexpected ways that effectively disable built-in protection mechanisms, introduce exploitable inconsistencies, or otherwise expose the functionality to attack.
What are the security consequences of Use of Low-Level Functionality?+
If exploited, CWE-695 (Use of Low-Level Functionality) it can compromise Other, leading to outcomes such as Other.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-695 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.