Description
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.
Potential Impact
Integrity
Execute Unauthorized Code or Commands
Other, Integrity
Varies by Context, Alter Execution Logic
Demonstrative Examples
$MessageFile = "messages.out";if ($_GET["action"] == "NewMessage") {$name = $_GET["name"];$message = $_GET["message"];$handle = fopen($MessageFile, "a+");fwrite($handle, "<b>$name</b> says '$message'<hr>\n");fclose($handle);echo "Message Saved!<p>\n";}else if ($_GET["action"] == "ViewMessages") {include($MessageFile);}name=h4x0rmessage=%3C?php%20system(%22/bin/ls%20-l%22);?%3E<?php system("/bin/ls -l");?>String ctl = request.getParameter("ctl");
Worker ao = null;
if (ctl.equals("Add")) {
ao = new AddCommand();
}
else if (ctl.equals("Modify")) {
ao = new ModifyCommand();
}
else {
throw new UnknownActionError();
}
ao.doAction(request);String ctl = request.getParameter("ctl");
Class cmdClass = Class.forName(ctl + "Command");
Worker ao = (Worker) cmdClass.newInstance();
ao.doAction(request);String ctl = request.getParameter("ctl");
Class cmdClass = Class.forName(ctl + "Command");
Worker ao = (Worker) cmdClass.newInstance();
ao.checkAccessControl(request);
ao.doAction(request);Mitigations & Prevention
For any externally-influenced input, check the input against an allowlist of acceptable values.
Refactor the code so that it does not need to be dynamically managed.
Detection Methods
- Fuzzing High — Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption,
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2022-2054 | Python compiler uses eval() to execute malicious strings as Python code. |
| CVE-2018-1000613 | Cryptography API uses unsafe reflection when deserializing a private key |
| CVE-2015-8103 | Deserialization issue in commonly-used Java library allows remote execution. |
| CVE-2006-7079 | Chain: extract used for register_globals compatibility layer, enables path traversal (CWE-22) |
| CVE-2012-2055 | Source version control product allows modification of trusted key using mass assignment. |
Related Weaknesses
Frequently Asked Questions
What is CWE-913?
CWE-913 (Improper Control of Dynamically-Managed Code Resources) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statement...
How can CWE-913 be exploited?
Attackers can exploit CWE-913 (Improper Control of Dynamically-Managed Code Resources) to execute unauthorized code or commands. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.
How do I prevent CWE-913?
Key mitigations include: For any externally-influenced input, check the input against an allowlist of acceptable values.
What is the severity of CWE-913?
CWE-913 is classified as a Class-level weakness (High abstraction). It has been observed in 5 real-world CVEs.