CWE-913 动态管理代码资源的控制不恰当

Improper Control of Dynamically-Managed Code Resources

结构: Simple

Abstraction: Class

状态: Incomplete

被利用可能性: unkown

基本描述

The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

扩展描述

Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 664 cwe_View_ID: 1000 cwe_Ordinal: Primary

常见的影响

范围	影响	注释
Integrity	Execute Unauthorized Code or Commands
['Other', 'Integrity']	['Varies by Context', 'Alter Execution Logic']

可能的缓解方案

Implementation

策略: Input Validation

For any externally-influenced input, check the input against a white list of acceptable values.

['Implementation', 'Architecture and Design']

策略: Refactoring

Refactor the code so that it does not need to be dynamically managed.

文章来源于互联网:scap中文网