CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')

BaseStable🏆 #18 in Top 25 (2024)

Description

View on MITRE
436Related CVEs
11.72Severity Score
Back to CWE Lookup

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms

🏆 CWE Top 25 Historical Ranking

2023:#23
Score: 3.30
401 CVEs
2024:#18↑5
Score: 11.72
436 CVEs
Trend:Worsening (moved down 5 ranks)

Frequently Asked Questions

What is CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')?+

CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description

Is CWE-94 in the CWE Top 25 Most Dangerous Software Weaknesses?+

Yes. CWE-94 ranked #18 in the CWE Top 25 for 2024, associated with 436 CVEs that year. The CWE Top 25 highlights the most common and impactful software weaknesses based on real-world vulnerability data.

What are the security consequences of CWE-94: Improper Control of Generation of Code ('Code Injection')?+

If exploited, CWE-94 (CWE-94: Improper Control of Generation of Code ('Code Injection')) it can compromise Bypass Protection Mechanism, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands and Hide Activities, leading to outcomes such as Scope: Access Control In some cases, injectable code controls authentication, this may lead to a remote vulnerability., Scope: Access Control Injected code can access resources that the attacker is directly prevented from accessing., Scope: Integrity and Confidentiality.

How do you prevent or mitigate CWE-94: Improper Control of Generation of Code ('Code Injection')?+

Recommended mitigations for CWE-94 include: Strategy: Refactoring Refactor your program so that you do not have to dynamically generate code. Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails. Strategy: Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().

Which programming languages are affected by CWE-94: Improper Control of Generation of Code ('Code Injection')?+

CWE-94 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-94 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More