CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
常见后果
影响范围: Integrity Confidentiality Availability
技术影响: Execute Unauthorized Code or Commands
说明: If a malicious user injects a character (such as a semi-colon) that delimits the end of one command and the beginning of another, it may be possible to then insert an entirely new and unrelated command that was not intended to be executed. This gives an attacker a privilege or capability that they would not otherwise have.
潜在缓解措施
阶段: Architecture and Design
描述: If at all possible, use library calls rather than external processes to recreate the desired functionality.
阶段: Implementation
描述: If possible, ensure that all external commands called from the program are statically created.
阶段: Implementation
策略: Input Validation
阶段: Operation
描述: Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.
阶段: System Configuration
描述: Assign permissions that prevent the user from accessing/opening privileged files.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2022-1509
injection of sed script syntax ("sed injection")
参考: CVE-2024-5184
API service using a large generative AI model allows direct prompt injection to leak hard-coded system prompts or execute other prompts.
参考: CVE-2020-11698
anti-spam product allows injection of SNMP commands into confiuration file
参考: CVE-2019-12921
image program allows injection of commands in "Magick Vector Graphics (MVG)" language.
参考: CVE-2022-36069
Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash (CWE-88), potentially allowing for code execution.
参考: CVE-1999-0067
Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program.
参考: CVE-2020-9054
Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV.
参考: CVE-2021-41282
injection of sed script syntax ("sed injection")
参考: CVE-2019-13398
injection of sed script syntax ("sed injection")
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Command Injection | - |
| CLASP | - | Command injection | - |
| OWASP Top Ten 2007 | A2 | Injection Flaws | CWE More Specific |
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE More Specific |
| OWASP Top Ten 2004 | A6 | Injection Flaws | CWE More Specific |
| Software Fault Patterns | SFP24 | Tainted input to command | - |
| SEI CERT Perl Coding Standard | IDS34-PL | Do not pass untrusted, unsanitized data to a command interpreter | CWE More Specific |
关键信息
CWE ID: CWE-77
抽象级别: Class
结构: Simple
状态: Draft
利用可能性: High