Cwe 78

🧬 CWE Related 120
slug: cwe-78

Explanation

CWE-78は「ユーザー入力をシェルコマンドの一部として使うとき、適切にエスケープせず、攻撃者がコマンドを追加実行できてしまう欠陥」のことです。 例えば `ping {ユーザー入力IP}` の {ユーザー入力IP} に `; rm -rf /` のような文字列を入れられると、サーバー上のファイルが削除されます。 対策は「シェル経由を避け、引数を配列として直接渡す (PHPなら escapeshellarg)」。
📌 Example
Shellshock (CVE-2014-6271): Bashの脆弱性で、Webサーバーへの普通のリクエスト経由で任意のシェルコマンドが実行できた歴史的な事件。

🔖 Related tags

🛡 Vulnerabilities tagged with this 797

ID Title
CVE-2024-4577 KEV [KEV] OS Command Injection in Php group php-group (CVE-2024-4577)
CVE-2017-3506 KEV [KEV] OS Command Injection in Oracle weblogic-server (CVE-2017-3506)
CVE-2024-29640 OS Command Injection in CVE-2024-29640 (CVE-2024-29640)
CVE-2023-6437 OS Command Injection in CVE-2023-6437 (CVE-2023-6437)
CVE-2019-7256 KEV [KEV] OS Command Injection in Nice linear-emerge-e3-series (CVE-2019-7256)
CVE-2023-47415 OS Command Injection in cypress (CVE-2023-47415)
CVE-2021-36380 KEV [KEV] OS Command Injection in Sunhillo sureline (CVE-2021-36380)
CVE-2023-46359 OS Command Injection in hardy-barth (CVE-2023-46359)
CVE-2023-50651 OS Command Injection in totolink (CVE-2023-50651)
CVE-2023-49897 KEV [KEV] OS Command Injection in Fxc ae1021 (CVE-2023-49897)
CVE-2023-47565 KEV [KEV] OS Command Injection in Qnap viostor-nvr (CVE-2023-47565)
CVE-2023-51385 OS Command Injection in openbsd (CVE-2023-51385)
CVE-2023-23325 OS Command Injection in zumtobel (CVE-2023-23325)
CVE-2023-6201 OS Command Injection in univera (CVE-2023-6201)
CVE-2023-20273 KEV [KEV] OS Command Injection in cisco (CVE-2023-20273)
CVE-2023-38886 OS Command Injection in dolibarr (CVE-2023-38886)
CVE-2017-6884 KEV [KEV] OS Command Injection in Zyxel emg2926-routers (CVE-2017-6884)
CVE-2017-18368 KEV [KEV] OS Command Injection in Zyxel p660hn-t1a-routers (CVE-2017-18368)
CVE-2022-29303 KEV [KEV] OS Command Injection in Solarview compact (CVE-2022-29303)
CVE-2023-36143 OS Command Injection in maxprintisp (CVE-2023-36143)
CVE-2019-17621 KEV [KEV] OS Command Injection in D-link dir-859-router (CVE-2019-17621)
CVE-2019-20500 KEV [KEV] OS Command Injection in D-link dwl-2600ap-access-point (CVE-2019-20500)
CVE-2023-27992 KEV [KEV] OS Command Injection in Zyxel multiple-network-attached-storage-nas-devices (CVE-2023-27992)
CVE-2020-12641 KEV [KEV] OS Command Injection in roundcube (CVE-2020-12641)
CVE-2023-33381 OS Command Injection in mitrastar (CVE-2023-33381)
CVE-2023-28771 KEV [KEV] OS Command Injection in Zyxel multiple-firewalls (CVE-2023-28771)
CVE-2023-29778 OS Command Injection in gl-inet (CVE-2023-29778)
CVE-2023-27216 OS Command Injection in dlink (CVE-2023-27216)
CVE-2022-28810 KEV [KEV] OS Command Injection in Zoho manageengine (CVE-2022-28810)
CVE-2022-33891 KEV [KEV] OS Command Injection in Apache pyspark (CVE-2022-33891)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →