Cwe 78

🧬 CWE Related 120

slug: cwe-78

Explanation

CWE-78は「ユーザー入力をシェルコマンドの一部として使うとき、適切にエスケープせず、攻撃者がコマンドを追加実行できてしまう欠陥」のことです。例えば `ping {ユーザー入力IP}` の {ユーザー入力IP} に `; rm -rf /` のような文字列を入れられると、サーバー上のファイルが削除されます。対策は「シェル経由を避け、引数を配列として直接渡す (PHPなら escapeshellarg)」。

📌 Example

Shellshock (CVE-2014-6271): Bashの脆弱性で、Webサーバーへの普通のリクエスト経由で任意のシェルコマンドが実行できた歴史的な事件。

🔗 Related links

MITRE CWE-78 公式ページ ↗

🔖 Related tags

Cwe 20125 Cwe 787105 Cwe 41699 Cwe 2296 Cwe 11990 Cwe 9484 Cwe 50270 Cwe 7966 Cwe 8954 Cwe 91844 Cwe 28443 Cwe 28741 Cwe 7740 Cwe 30638 Cwe 84337

🛡 Vulnerabilities tagged with this 125

ID	Title	Severity	Detected
CVE-2019-12991 KEV	[KEV] OS Command Injection in Citrix sd-wan-and-netscaler (CVE-2019-12991)	High	4 years ago
CVE-2018-6961 KEV	[KEV] OS Command Injection in Vmware sd-wan-edge (CVE-2018-6961)	High	4 years ago
CVE-2018-14839 KEV	[KEV] OS Command Injection in Lg n1a1-nas (CVE-2018-14839)	High	4 years ago
CVE-2018-11138 KEV	[KEV] OS Command Injection in Quest kace-system-management-appliance (CVE-2018-11138)	High	4 years ago
CVE-2017-6334 KEV	[KEV] OS Command Injection in Netgear dgn2200-devices (CVE-2017-6334)	High	4 years ago
CVE-2016-11021 KEV	[KEV] OS Command Injection in D-link dcs-930l-devices (CVE-2016-11021)	High	4 years ago
CVE-2017-6077 KEV	[KEV] OS Command Injection in Netgear wireless-router-dgn2200 (CVE-2017-6077)	High	4 years ago
CVE-2014-6271 KEV	[KEV] OS Command Injection in Gnu bourne-again-shell-bash (CVE-2014-6271)	High	4 years ago
CVE-2014-7169 KEV	[KEV] OS Command Injection in Gnu bourne-again-shell-bash (CVE-2014-7169)	High	4 years ago
CVE-2021-25296 KEV	[KEV] OS Command Injection in nagios (CVE-2021-25296)	High	4 years ago
CVE-2021-25297 KEV	[KEV] OS Command Injection in nagios (CVE-2021-25297)	High	4 years ago
CVE-2021-25298 KEV	[KEV] OS Command Injection in nagios (CVE-2021-25298)	High	4 years ago
CVE-2021-21315 KEV	[KEV] OS Command Injection in Npm package npm-package (CVE-2021-21315)	High	4 years ago
CVE-2020-11978 KEV	[KEV] OS Command Injection in Apache airflow (CVE-2020-11978)	High	4 years ago
CVE-2021-36260 KEV	[KEV] OS Command Injection in Hikvision security-cameras-web-server (CVE-2021-36260)	High	4 years ago
CVE-2019-10149 KEV	[KEV] OS Command Injection in Exim mail-transfer-agent-mta (CVE-2019-10149)	High	4 years ago
CVE-2021-35394 KEV	[KEV] OS Command Injection in Realtek jungle-software-development-kit-sdk (CVE-2021-35394)	High	4 years ago
CVE-2020-8816 KEV	[KEV] OS Command Injection in Pi-hole adminlte (CVE-2020-8816)	High	4 years ago
CVE-2021-27104 KEV	[KEV] Vulnerability in Accellion fta (CVE-2021-27104)	High	4 years ago
CVE-2021-27102 KEV	[KEV] Vulnerability in Accellion fta (CVE-2021-27102)	High	4 years ago
CVE-2021-1497 KEV	[KEV] OS Command Injection in Cisco hyperflex-hx (CVE-2021-1497)	High	4 years ago
CVE-2021-1498 KEV	[KEV] OS Command Injection in Cisco hyperflex-hx (CVE-2021-1498)	High	4 years ago
CVE-2020-25506 KEV	[KEV] OS Command Injection in D-link dns-320-device (CVE-2020-25506)	High	4 years ago
CVE-2020-8515 KEV	[KEV] OS Command Injection in Draytek multiple-vigor-routers (CVE-2020-8515)	High	4 years ago
CVE-2020-4428 KEV	[KEV] OS Command Injection in Ibm data-risk-manager (CVE-2020-4428)	High	4 years ago
CVE-2021-22502 KEV	[KEV] Vulnerability in Micro focus micro-focus (CVE-2021-22502)	High	4 years ago
CVE-2019-15949 KEV	[KEV] OS Command Injection in nagios (CVE-2019-15949)	High	4 years ago
CVE-2019-19356 KEV	[KEV] OS Command Injection in Netis wf2419-devices (CVE-2019-19356)	High	4 years ago
CVE-2019-11539 KEV	[KEV] OS Command Injection in Ivanti pulse-connect-secure-and-pulse-policy-secure (CVE-2019-11539)	High	4 years ago
CVE-2020-10221 KEV	[KEV] OS Command Injection in rconfig (CVE-2020-10221)	High	4 years ago

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →