CWE-94 - Improper Control of Generation of Code ('Code Injection')

Description

Existence of code syntax in the users data increases attacker's possibility to change the planned control conduct and execute arbitrary code.
These weaknesses are called "injection weaknesses" and have their specific features. Under the influence of injection weaknesses data control can become user-controlled. It means that any process, carried out by the machine, can be changed by sending new code through legal data canals with no using additional computers.While buffer overflows and other problems are mostly associated with execution, injection problems are used only for data analysed.
The most usual examples of "injection weaknesses" are SQL injection and format string vulnerabilities.
The weakness is introduced during Architecture and Design, Implementation stages.

Latest vulnerabilities for CWE-94

Multiple vulnerabilities in IBM Sterling Order Management 2024-04-17
High Yes

Multiple vulnerabilities in Oracle Linux 2024-04-17
High Yes

Multiple vulnerabilities in Oracle Solaris Cluster 2024-04-17
High Yes

Multiple vulnerabilities in Oracle Healthcare Data Repository 2024-04-17
High Yes

Multiple vulnerabilities in Oracle WebLogic Server 2024-04-17
High Yes

Multiple vulnerabilities in Oracle Business Intelligence Enterprise Edition 2024-04-17
Medium Yes

Multiple vulnerabilities in IBM Sterling Order Management 2024-04-16
High Yes

Multiple vulnerabilities in a-blog cms 2024-04-11
Medium Yes

Remote code execution in FortiClient for Linux 2024-04-09
High Yes

Privilege escalation in FortiManager 2024-04-09
Low Yes

References

Description of CWE-94 on Mitre website