Cwe 78

🧬 CWE Related 120
slug: cwe-78

Explanation

CWE-78は「ユーザー入力をシェルコマンドの一部として使うとき、適切にエスケープせず、攻撃者がコマンドを追加実行できてしまう欠陥」のことです。 例えば `ping {ユーザー入力IP}` の {ユーザー入力IP} に `; rm -rf /` のような文字列を入れられると、サーバー上のファイルが削除されます。 対策は「シェル経由を避け、引数を配列として直接渡す (PHPなら escapeshellarg)」。
📌 Example
Shellshock (CVE-2014-6271): Bashの脆弱性で、Webサーバーへの普通のリクエスト経由で任意のシェルコマンドが実行できた歴史的な事件。

🔖 Related tags

🛡 Vulnerabilities tagged with this 796

ID Title
CVE-2022-36804 KEV [KEV] OS Command Injection in Atlassian bitbucket-server-and-data-center (CVE-2022-36804)
CVE-2022-30079 OS Command Injection in netgear (CVE-2022-30079)
CVE-2022-26258 KEV [KEV] OS Command Injection in D-link dir-820l (CVE-2022-26258)
CVE-2018-6530 KEV [KEV] OS Command Injection in D-link multiple-routers (CVE-2018-6530)
CVE-2022-30078 Command Injection in netgear (CVE-2022-30078)
CVE-2021-42232 OS Command Injection in tp-link (CVE-2021-42232)
CVE-2021-36667 OS Command Injection in druva (CVE-2021-36667)
CVE-2022-30023 OS Command Injection in tenda (CVE-2022-30023)
CVE-2021-42875 OS Command Injection in totolink (CVE-2021-42875)
CVE-2021-42872 OS Command Injection in totolink (CVE-2021-42872)
CVE-2020-25368 OS Command Injection in dlink (CVE-2020-25368)
CVE-2020-21883 OS Command Injection in indionetworks (CVE-2020-21883)
CVE-2021-28927 OS Command Injection in c (CVE-2021-28927)
CVE-2018-19949 KEV [KEV] Vulnerability in Qnap network-attached-storage-nas (CVE-2018-19949)
CVE-2022-30525 KEV [KEV] OS Command Injection in Zyxel multiple-firewalls (CVE-2022-30525)
CVE-2018-19908 OS Command Injection in misp-project (CVE-2018-19908)
CVE-2022-27224 An issue was discovered in Galleon NTS-6002-GPS 4.14.103-Galleon-NTS-6002.V12 4. An authenticated...
CVE-2021-43164 Command Injection in ruijienetworks (CVE-2021-43164)
CVE-2019-16057 KEV [KEV] OS Command Injection in D-link dns-320-storage-device (CVE-2019-16057)
CVE-2020-2509 KEV [KEV] Command Injection in qnap (CVE-2020-2509)
CVE-2020-27373 OS Command Injection in drtrustusa (CVE-2020-27373)
CVE-2021-45382 KEV [KEV] OS Command Injection in D-link multiple-routers (CVE-2021-45382)
CVE-2018-10562 KEV [KEV] OS Command Injection in Dasan gigabit-passive-optical-network-gpon-routers (CVE-2018-10562)
CVE-2021-46007 OS Command Injection in totolink (CVE-2021-46007)
CVE-2020-9377 KEV [KEV] OS Command Injection in D-link dir-610-devices (CVE-2020-9377)
CVE-2020-9054 KEV [KEV] OS Command Injection in Zyxel multiple-network-attached-storage-nas-devices (CVE-2020-9054)
CVE-2020-7247 KEV [KEV] Vulnerability in Openbsd opensmtpd (CVE-2020-7247)
CVE-2020-25223 KEV [KEV] OS Command Injection in Sophos sg-utm (CVE-2020-25223)
CVE-2020-1956 KEV [KEV] OS Command Injection in Apache kylin (CVE-2020-1956)
CVE-2019-16920 KEV [KEV] OS Command Injection in D-link multiple-routers (CVE-2019-16920)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →