CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
扩展描述
Software or other automated logic has certain assumptions about what constitutes data and control respectively. It is the lack of verification of these assumptions for user-controlled input that leads to injection problems. Injection problems encompass a wide variety of issues -- all mitigated in very different ways and usually attempted in order to alter the control flow of the process. For this reason, the most effective way to discuss these weaknesses is to note the distinct features that classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
说明: Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
影响范围: Access Control
技术影响: Bypass Protection Mechanism
说明: In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
影响范围: Other
技术影响: Alter Execution Logic
说明: Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
影响范围: Integrity Other
技术影响: Other
说明: Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
影响范围: Non-Repudiation
技术影响: Hide Activities
说明: Often the actions performed by injected control code are unlogged.
潜在缓解措施
阶段: Requirements
描述: Programming languages and supporting technologies might be chosen which are not subject to these issues.
阶段: Implementation
描述: Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2024-5184
API service using a large generative AI model allows direct prompt injection to leak hard-coded system prompts or execute other prompts.
参考: CVE-2022-36069
Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash (CWE-88), potentially allowing for code execution.
参考: CVE-1999-0067
Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.
参考: CVE-2022-1509
injection of sed script syntax ("sed injection")
参考: CVE-2020-9054
Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.
参考: CVE-2021-44228
Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability)
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Injection problem ('data' used as something else) | - |
| OWASP Top Ten 2004 | A6 | Injection Flaws | CWE More Specific |
| Software Fault Patterns | SFP24 | Tainted input to command | - |
关键信息
CWE ID: CWE-74
抽象级别: Class
结构: Simple
状态: Incomplete
利用可能性: High