CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

BaseStable🏆 #8 in Top 25 (2024)

Description

View on MITRE
415Related CVEs
16.44Severity Score
Back to CWE Lookup

Extended Description

Extended Description

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms

🏆 CWE Top 25 Historical Ranking

2023:#5
Score: 15.65
398 CVEs
2024:#8↓3
Score: 16.44
415 CVEs
Trend:Improving (moved up 3 ranks)

Frequently Asked Questions

What is CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')?+

CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description Extended Description

Is CWE-78 in the CWE Top 25 Most Dangerous Software Weaknesses?+

Yes. CWE-78 ranked #8 in the CWE Top 25 for 2024, associated with 415 CVEs that year. The CWE Top 25 highlights the most common and impactful software weaknesses based on real-world vulnerability data.

What are the security consequences of CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')?+

If exploited, CWE-78 (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) it can compromise Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart, Read Files or Directories and Modify Files or Directories, leading to outcomes such as Scope: Confidentiality, Integrity, Availability, Non-Repudiation Attackers could execute unauthorized operating system commands, which could then be used to disable the product and or read and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker.

How do you prevent or mitigate CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')?+

Recommended mitigations for CWE-78 include: If at all possible, use library calls rather than external processes to recreate the desired functionality. Strategy: Sandbox or Jail Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails. Effectiveness: Limited Note: The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. Strategy: Attack Surface Reduction For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the data locally in the session's state instead of sending it out to the client in a hidden form field.

Which programming languages are affected by CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')?+

CWE-78 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-78 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More