CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76
CVEs mapped to this weakness (1,552)
page 73 of 78| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-36162 | — | 0.00 | — | 0.02 | Sep 7, 2021 | Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right… | ||
| CVE-2019-10095 | 0.00 | — | 0.06 | Sep 2, 2021 | bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. | |||
| CVE-2020-19001 | — | 0.00 | — | 0.04 | Aug 27, 2021 | Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py'. | ||
| CVE-2021-32830 | — | 0.00 | — | 0.02 | Aug 17, 2021 | The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.… | ||
| CVE-2021-37708 | — | 0.00 | — | 0.02 | Aug 16, 2021 | Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available… | ||
| CVE-2020-36447 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the v9 crate through 2020-12-18 for Rust. There is an unconditional implementation of Sync for SyncRef. | ||
| CVE-2020-36448 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the cache crate through 2020-11-24 for Rust. There are unconditional implementations of Send and Sync for Cache. | ||
| CVE-2020-36449 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the kekbit crate before 0.3.4 for Rust. For ShmWriter, Send is implemented without requiring H: Send. | ||
| CVE-2020-36450 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the bunch crate through 2020-11-12 for Rust. There are unconditional implementations of Send and Sync for Bunch. | ||
| CVE-2020-36451 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the rcu_cell crate through 2020-11-14 for Rust. There are unconditional implementations of Send and Sync for RcuCell. | ||
| CVE-2020-36455 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the slock crate through 2020-11-17 for Rust. Slock unconditionally implements Send and Sync. | ||
| CVE-2020-36456 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the toolshed crate through 2020-11-15 for Rust. In CopyCell, the Send trait lacks bounds on the contained type. | ||
| CVE-2020-36457 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox implements the Send and Sync traits for all types T. | ||
| CVE-2020-36458 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the lexer crate through 2020-11-10 for Rust. For ReaderResult<T, E>, there is an implementation of Sync with a trait bound of T: Send, E: Send. | ||
| CVE-2020-36459 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the dces crate through 2020-12-09 for Rust. The World type is marked as Send but lacks bounds on its EntityStore and ComponentStore. | ||
| CVE-2020-36461 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the noise_search crate through 2020-12-10 for Rust. There are unconditional implementations of Send and Sync for MvccRwLock. | ||
| CVE-2020-36462 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the syncpool crate before 0.1.6 for Rust. There is an unconditional implementation of Send for Bucket2. | ||
| CVE-2020-36463 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the multiqueue crate through 2020-12-25 for Rust. There are unconditional implementations of Send for InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, and FutInnerRecv<RW, T>. | ||
| CVE-2021-31799 | — | 0.00 | — | 0.01 | Jul 29, 2021 | In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. | ||
| CVE-2021-23412 | — | 0.00 | — | 0.04 | Jul 23, 2021 | All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization. |
- CVE-2021-36162Sep 7, 2021risk 0.00cvss —epss 0.02
Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right…
- CVE-2019-10095Sep 2, 2021risk 0.00cvss —epss 0.06
bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
- CVE-2020-19001Aug 27, 2021risk 0.00cvss —epss 0.04
Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py'.
- CVE-2021-32830Aug 17, 2021risk 0.00cvss —epss 0.02
The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.…
- CVE-2021-37708Aug 16, 2021risk 0.00cvss —epss 0.02
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available…
- CVE-2020-36447Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the v9 crate through 2020-12-18 for Rust. There is an unconditional implementation of Sync for SyncRef.
- CVE-2020-36448Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the cache crate through 2020-11-24 for Rust. There are unconditional implementations of Send and Sync for Cache.
- CVE-2020-36449Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the kekbit crate before 0.3.4 for Rust. For ShmWriter, Send is implemented without requiring H: Send.
- CVE-2020-36450Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the bunch crate through 2020-11-12 for Rust. There are unconditional implementations of Send and Sync for Bunch.
- CVE-2020-36451Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the rcu_cell crate through 2020-11-14 for Rust. There are unconditional implementations of Send and Sync for RcuCell.
- CVE-2020-36455Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the slock crate through 2020-11-17 for Rust. Slock unconditionally implements Send and Sync.
- CVE-2020-36456Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the toolshed crate through 2020-11-15 for Rust. In CopyCell, the Send trait lacks bounds on the contained type.
- CVE-2020-36457Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox implements the Send and Sync traits for all types T.
- CVE-2020-36458Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the lexer crate through 2020-11-10 for Rust. For ReaderResult<T, E>, there is an implementation of Sync with a trait bound of T: Send, E: Send.
- CVE-2020-36459Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the dces crate through 2020-12-09 for Rust. The World type is marked as Send but lacks bounds on its EntityStore and ComponentStore.
- CVE-2020-36461Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the noise_search crate through 2020-12-10 for Rust. There are unconditional implementations of Send and Sync for MvccRwLock.
- CVE-2020-36462Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the syncpool crate before 0.1.6 for Rust. There is an unconditional implementation of Send for Bucket2.
- CVE-2020-36463Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the multiqueue crate through 2020-12-25 for Rust. There are unconditional implementations of Send for InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, and FutInnerRecv<RW, T>.
- CVE-2021-31799Jul 29, 2021risk 0.00cvss —epss 0.01
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
- CVE-2021-23412Jul 23, 2021risk 0.00cvss —epss 0.04
All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.