CWE-134
Use of Externally-Controlled Format String
BaseDraftLikelihood: High
Description
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-135 · CAPEC-67
CVEs mapped to this weakness (204)
page 5 of 11| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2004-0777 | 0.04 | — | 0.16 | Oct 20, 2004 | Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 through 2.2.1 and 3.x through 3.0.3, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code. | ||
| CVE-2004-0179 | 0.04 | — | 0.08 | Jun 1, 2004 | Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code. | ||
| CVE-2013-2852 | 0.03 | — | 0.00 | Jun 7, 2013 | Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. | ||
| CVE-2011-0270 | 0.03 | — | 0.31 | Jan 13, 2011 | Format string vulnerability in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via format string specifiers in input data that involves an invalid template name. | ||
| CVE-2010-2094 | 0.03 | — | 0.03 | May 27, 2010 | Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function. | ||
| CVE-2010-0388 | 0.03 | — | 0.02 | Jan 25, 2010 | Format string vulnerability in the WebDAV implementation in webservd in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in the encoding attribute of the XML declaration in a PROPFIND request. | ||
| CVE-2009-0754 | 0.03 | — | 0.00 | Mar 3, 2009 | PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. | ||
| CVE-2008-5660 | 0.03 | — | 0.02 | Dec 17, 2008 | Format string vulnerability in the vinagre_utils_show_error function (src/vinagre-utils.c) in Vinagre 0.5.x before 0.5.2 and 2.x before 2.24.2 might allow remote attackers to execute arbitrary code via format string specifiers in a crafted URI or VNC server response. | ||
| CVE-2008-3963 | 0.03 | — | 0.05 | Sep 11, 2008 | MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement. | ||
| CVE-2008-3116 | 0.03 | — | 0.06 | Jul 10, 2008 | Format string vulnerability in dx8render.dll in Snail Game (aka Suzhou Snail Electronic Company) 5th street (aka Hot Step or High Street 5) allows remote attackers to execute arbitrary code via format string specifiers in a chat message. | ||
| CVE-2007-6273 | 0.03 | — | 0.06 | Dec 7, 2007 | Multiple format string vulnerabilities in the configuration file in SonicWALL GLobal VPN Client 3.1.556 and 4.0.0.810 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in the (1) Hostname tag or the (2) name attribute in the Connection tag. NOTE: there might not be any realistic circumstances in which this issue crosses privilege boundaries. | ||
| CVE-2007-0753 | 0.03 | — | 0.01 | May 24, 2007 | Format string vulnerability in the VPN daemon (vpnd) in Apple Mac OS X 10.3.9 and 10.4.9 allows local users to execute arbitrary code via the -i parameter. | ||
| CVE-2007-2027 | 0.03 | — | 0.00 | Apr 13, 2007 | Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks. | ||
| CVE-2006-6751 | 0.03 | — | 0.06 | Dec 27, 2006 | Format string vulnerability in XM Easy Personal FTP Server 5.2.1 allows remote attackers to cause a denial of service (application crash) via format string specifiers in the USER command or certain other available or nonexistent commands. NOTE: It was later reported that 5.3.0 is also vulnerable. | ||
| CVE-2006-2409 | 0.03 | — | 0.00 | May 16, 2006 | Format string vulnerability in the raydium_log function in console.c in Raydium before SVN revision 310 allows local users to execute arbitrary code via format string specifiers in the format parameter, which are not properly handled in a call to raydium_console_line_add. | ||
| CVE-2006-1615 | 0.03 | — | 0.37 | Apr 6, 2006 | Multiple format string vulnerabilities in the logging code in Clam AntiVirus (ClamAV) before 0.88.1 might allow remote attackers to execute arbitrary code. NOTE: as of 20060410, it is unclear whether this is a vulnerability, as there is some evidence that the arguments are actually being sanitized properly. | ||
| CVE-2005-1394 | 0.03 | — | 0.01 | May 3, 2005 | Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr. | ||
| CVE-2003-1381 | 0.03 | — | 0.04 | Dec 31, 2003 | Format string vulnerability in AMX 0.9.2 and earlier, a plugin for Valve Software's Half-Life Server, allows remote attackers to execute arbitrary commands via format string specifiers in the amx_say command. | ||
| CVE-2006-3573 | 0.02 | — | 0.24 | Jul 13, 2006 | Format string vulnerability in the WriteText function in agl_text.cpp in Milan Mimica Sparklet 0.9.4 and earlier allows remote attackers to execute arbitrary code via format string specifiers in a player nickname. | ||
| CVE-2013-0929 | 0.01 | — | 0.12 | Jan 21, 2013 | Format string vulnerability in the _vsnsprintf function in rrobotd.exe in the Device Manager in EMC AlphaStor 4.0 before build 800 allows remote attackers to execute arbitrary code via format string specifiers in a command. |