VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 73 of 78
  • CVE-2021-36162Sep 7, 2021
    risk 0.00cvss epss 0.02

    Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right…

  • CVE-2019-10095Sep 2, 2021
    risk 0.00cvss epss 0.06

    bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

  • CVE-2020-19001Aug 27, 2021
    risk 0.00cvss epss 0.04

    Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py'.

  • CVE-2021-32830Aug 17, 2021
    risk 0.00cvss epss 0.02

    The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.…

  • CVE-2021-37708Aug 16, 2021
    risk 0.00cvss epss 0.02

    Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available…

  • CVE-2020-36447Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the v9 crate through 2020-12-18 for Rust. There is an unconditional implementation of Sync for SyncRef.

  • CVE-2020-36448Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the cache crate through 2020-11-24 for Rust. There are unconditional implementations of Send and Sync for Cache.

  • CVE-2020-36449Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the kekbit crate before 0.3.4 for Rust. For ShmWriter, Send is implemented without requiring H: Send.

  • CVE-2020-36450Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the bunch crate through 2020-11-12 for Rust. There are unconditional implementations of Send and Sync for Bunch.

  • CVE-2020-36451Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the rcu_cell crate through 2020-11-14 for Rust. There are unconditional implementations of Send and Sync for RcuCell.

  • CVE-2020-36455Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the slock crate through 2020-11-17 for Rust. Slock unconditionally implements Send and Sync.

  • CVE-2020-36456Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the toolshed crate through 2020-11-15 for Rust. In CopyCell, the Send trait lacks bounds on the contained type.

  • CVE-2020-36457Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox implements the Send and Sync traits for all types T.

  • CVE-2020-36458Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the lexer crate through 2020-11-10 for Rust. For ReaderResult<T, E>, there is an implementation of Sync with a trait bound of T: Send, E: Send.

  • CVE-2020-36459Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the dces crate through 2020-12-09 for Rust. The World type is marked as Send but lacks bounds on its EntityStore and ComponentStore.

  • CVE-2020-36461Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the noise_search crate through 2020-12-10 for Rust. There are unconditional implementations of Send and Sync for MvccRwLock.

  • CVE-2020-36462Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the syncpool crate before 0.1.6 for Rust. There is an unconditional implementation of Send for Bucket2.

  • CVE-2020-36463Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the multiqueue crate through 2020-12-25 for Rust. There are unconditional implementations of Send for InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, and FutInnerRecv<RW, T>.

  • CVE-2021-31799Jul 29, 2021
    risk 0.00cvss epss 0.01

    In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

  • CVE-2021-23412Jul 23, 2021
    risk 0.00cvss epss 0.04

    All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.