VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 70 of 78
  • CVE-2022-43396Dec 30, 2022
    risk 0.00cvss epss 0.57

    In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

  • CVE-2022-46421Dec 20, 2022
    risk 0.00cvss epss 0.03

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0.

  • CVE-2022-24377Dec 15, 2022
    risk 0.00cvss epss 0.02

    The package cycle-import-check before 1.3.2 are vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.

  • CVE-2022-45907Nov 26, 2022
    risk 0.00cvss epss 0.01

    In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

  • CVE-2022-45462Nov 23, 2022
    risk 0.00cvss epss 0.03

    Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher

  • CVE-2022-43695Nov 14, 2022
    risk 0.00cvss epss 0.01

    Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist,…

  • CVE-2022-42906Oct 13, 2022
    risk 0.00cvss epss 0.00

    powerline-gitstatus (aka Powerline Gitstatus) before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory…

  • CVE-2022-39243Sep 26, 2022
    risk 0.00cvss epss 0.01

    NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM's Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line…

  • CVE-2022-21165Aug 29, 2022
    risk 0.00cvss epss 0.03

    All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child_process.exec() function.

  • CVE-2022-36633Aug 24, 2022
    risk 0.00cvss epss 0.49

    Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a…

  • CVE-2022-35954Aug 13, 2022
    risk 0.00cvss epss 0.01

    The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The `core.exportVariable` function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that…

  • CVE-2022-21186Aug 5, 2022
    risk 0.00cvss epss 0.25

    The package @acrontum/filesystem-template before 0.0.2 are vulnerable to Arbitrary Command Injection due to the fetchRepo API missing sanitization of the href field of external input.

  • CVE-2020-28423Aug 2, 2022
    risk 0.00cvss epss 0.01

    This affects all versions of package monorepo-build.

  • CVE-2020-28425Aug 2, 2022
    risk 0.00cvss epss 0.01

    This affects all versions of package curljs.

  • CVE-2020-28433Aug 2, 2022
    risk 0.00cvss epss 0.01

    This affects all versions of package node-latex-pdf.

  • CVE-2020-7795Aug 2, 2022
    risk 0.00cvss epss 0.04

    The package get-npm-package-version before 1.0.7 are vulnerable to Command Injection via main function in index.js.

  • CVE-2020-28434Aug 2, 2022
    risk 0.00cvss epss 0.01

    This affects all versions of package gitblame. The injection point is located in line 15 in lib/gitblame.js.

  • CVE-2020-28437Aug 2, 2022
    risk 0.00cvss epss 0.01

    This affects all versions of package heroku-env. The injection point is located in lib/get.js which is required by index.js.

  • CVE-2020-28451Aug 2, 2022
    risk 0.00cvss epss 0.01

    This affects the package image-tiler before 2.0.2.

  • CVE-2020-28453Aug 2, 2022
    risk 0.00cvss epss 0.01

    This affects all versions of package npos-tesseract. The injection point is located in line 55 in lib/ocr.js.