CWE-914

BaseIncomplete

View on MITRE

Improper Control of Dynamically-Identified Variables

The product does not properly restrict reading from or writing to dynamically-identified variables.

5 linked vulnerabilities

2 related weaknesses

Extended Description

Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.

Implementation

For any externally-influenced input, check the input against an allowlist of internal program variables that are allowed to be modified.

Implementation

Architecture and Design

Refactor the code so that internal program variables do not need to be dynamically identified.

Integrity

Modify Application Data

An attacker could modify sensitive data or program variables.

Integrity

Execute Unauthorized Code or Commands

Other

Integrity

Varies by Context

Alter Execution Logic

Modes of Introduction

Implementation

Related Weaknesses

CWE-99ChildOf CWE-913ChildOf

Example CVEs (9)

CVE-2006-7135

extract issue enables file inclusion

CVE-2006-7079

Chain: extract used for register_globals compatibility layer, enables path traversal (CWE-22)

CVE-2007-0649

extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.

CVE-2006-6661

extract() enables static code injection

CVE-2006-2828

import_request_variables() buried in include files makes post-disclosure analysis confusing

External Links

MITRE CWE Database

CWE-914: Improper Control of Dynamically-Identified Variables | Mondoo Vulnerability Intelligence