Cwe 78

🧬 CWE Related 120

slug: cwe-78

Explanation

CWE-78は「ユーザー入力をシェルコマンドの一部として使うとき、適切にエスケープせず、攻撃者がコマンドを追加実行できてしまう欠陥」のことです。例えば `ping {ユーザー入力IP}` の {ユーザー入力IP} に `; rm -rf /` のような文字列を入れられると、サーバー上のファイルが削除されます。対策は「シェル経由を避け、引数を配列として直接渡す (PHPなら escapeshellarg)」。

📌 Example

Shellshock (CVE-2014-6271): Bashの脆弱性で、Webサーバーへの普通のリクエスト経由で任意のシェルコマンドが実行できた歴史的な事件。

🔗 Related links

MITRE CWE-78 公式ページ ↗

🔖 Related tags

Cwe 20125 Cwe 787105 Cwe 41699 Cwe 2296 Cwe 11990 Cwe 9484 Cwe 50270 Cwe 7966 Cwe 8954 Cwe 91844 Cwe 28443 Cwe 28741 Cwe 7740 Cwe 30638 Cwe 84337

🛡 Vulnerabilities tagged with this 125

ID	Title	Severity	Detected
CVE-2023-49897 KEV	[KEV] OS Command Injection in Fxc ae1021 (CVE-2023-49897)	High	2 years ago
CVE-2023-47565 KEV	[KEV] OS Command Injection in Qnap viostor-nvr (CVE-2023-47565)	High	2 years ago
CVE-2023-20273 KEV	[KEV] OS Command Injection in cisco (CVE-2023-20273)	High	2 years ago
CVE-2017-6884 KEV	[KEV] OS Command Injection in Zyxel emg2926-routers (CVE-2017-6884)	High	2 years ago
CVE-2017-18368 KEV	[KEV] OS Command Injection in Zyxel p660hn-t1a-routers (CVE-2017-18368)	High	2 years ago
CVE-2022-29303 KEV	[KEV] OS Command Injection in Solarview compact (CVE-2022-29303)	High	2 years ago
CVE-2019-17621 KEV	[KEV] OS Command Injection in D-link dir-859-router (CVE-2019-17621)	High	2 years ago
CVE-2019-20500 KEV	[KEV] OS Command Injection in D-link dwl-2600ap-access-point (CVE-2019-20500)	High	2 years ago
CVE-2023-27992 KEV	[KEV] OS Command Injection in Zyxel multiple-network-attached-storage-nas-devices (CVE-2023-27992)	High	2 years ago
CVE-2020-12641 KEV	[KEV] OS Command Injection in roundcube (CVE-2020-12641)	High	2 years ago
CVE-2023-28771 KEV	[KEV] OS Command Injection in Zyxel multiple-firewalls (CVE-2023-28771)	High	2 years ago
CVE-2022-28810 KEV	[KEV] OS Command Injection in Zoho manageengine (CVE-2022-28810)	High	3 years ago
CVE-2022-33891 KEV	[KEV] OS Command Injection in Apache spark (CVE-2022-33891)	High	3 years ago
CVE-2022-44877 KEV	[KEV] OS Command Injection in Cwp control-web-panel (CVE-2022-44877)	High	3 years ago
CVE-2022-36804 KEV	[KEV] OS Command Injection in Atlassian bitbucket-server-and-data-center (CVE-2022-36804)	High	3 years ago
CVE-2022-26258 KEV	[KEV] OS Command Injection in D-link dir-820l (CVE-2022-26258)	High	3 years ago
CVE-2018-6530 KEV	[KEV] OS Command Injection in D-link multiple-routers (CVE-2018-6530)	High	3 years ago
CVE-2018-19949 KEV	[KEV] Vulnerability in Qnap network-attached-storage-nas (CVE-2018-19949)	High	3 years ago
CVE-2022-30525 KEV	[KEV] OS Command Injection in Zyxel multiple-firewalls (CVE-2022-30525)	High	3 years ago
CVE-2019-16057 KEV	[KEV] OS Command Injection in D-link dns-320-storage-device (CVE-2019-16057)	High	4 years ago
CVE-2020-2509 KEV	[KEV] Command Injection in qnap (CVE-2020-2509)	High	4 years ago
CVE-2021-45382 KEV	[KEV] OS Command Injection in D-link multiple-routers (CVE-2021-45382)	High	4 years ago
CVE-2018-10562 KEV	[KEV] OS Command Injection in Dasan gigabit-passive-optical-network-gpon-routers (CVE-2018-10562)	High	4 years ago
CVE-2020-9377 KEV	[KEV] OS Command Injection in D-link dir-610-devices (CVE-2020-9377)	High	4 years ago
CVE-2020-9054 KEV	[KEV] OS Command Injection in Zyxel multiple-network-attached-storage-nas-devices (CVE-2020-9054)	High	4 years ago
CVE-2020-7247 KEV	[KEV] Vulnerability in Openbsd opensmtpd (CVE-2020-7247)	High	4 years ago
CVE-2020-25223 KEV	[KEV] OS Command Injection in Sophos sg-utm (CVE-2020-25223)	High	4 years ago
CVE-2020-1956 KEV	[KEV] OS Command Injection in Apache kylin (CVE-2020-1956)	High	4 years ago
CVE-2019-16920 KEV	[KEV] OS Command Injection in D-link multiple-routers (CVE-2019-16920)	High	4 years ago
CVE-2019-15107 KEV	[KEV] OS Command Injection in webmin (CVE-2019-15107)	High	4 years ago

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →