CWE-676: Use of Potentially Dangerous Function
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
常见后果
影响范围: Other
技术影响: Varies by Context Quality Degradation Unexpected State
说明: If the function is used incorrectly, then it could result in security problems.
潜在缓解措施
阶段: Build and Compilation Implementation
描述: Identify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instructed to spot use of prohibited functions, such as the "banned.h" include file from Microsoft's SDL. [REF-554] [REF-7]
检测方法
方法: Automated Static Analysis - Binary or Bytecode
有效性: High
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Dynamic Analysis with Manual Results Interpretation
有效性: High
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis
有效性: SOAR Partial
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2007-1470
Library has multiple buffer overflows using sprintf() and strcpy()
参考: CVE-2009-3849
Buffer overflow using strcat()
参考: CVE-2006-2114
Buffer overflow using strcpy()
参考: CVE-2006-0963
Buffer overflow using strcpy()
参考: CVE-2011-0712
Vulnerable use of strcpy() changed to use safer strlcpy()
参考: CVE-2008-5005
Buffer overflow using strcpy()
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Dangerous Functions | - |
| CERT C Secure Coding | CON33-C | Avoid race conditions when using library functions | CWE More Abstract |
| CERT C Secure Coding | ENV33-C | Do not call system() | CWE More Abstract |
| CERT C Secure Coding | ERR07-C | Prefer functions that support error checking over equivalent functions that don't | - |
| CERT C Secure Coding | ERR34-C | Detect errors when converting a string to a number | CWE More Abstract |
| CERT C Secure Coding | FIO01-C | Be careful using functions that use file names for identification | - |
| CERT C Secure Coding | MSC30-C | Do not use the rand() function for generating pseudorandom numbers | CWE More Abstract |
| CERT C Secure Coding | STR31-C | Guarantee that storage for strings has sufficient space for character data and the null terminator | Imprecise |
| Software Fault Patterns | SFP3 | Use of an improper API | - |