CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.1)  
Search by ID:

CWE-619: Dangling Database Cursor (aka 'Cursor Injection')

Individual Definition in a New Window
Dangling Database Cursor (aka 'Cursor Injection')
Status: Incomplete
Weakness ID: 619 (Weakness Base)
Description
Summary

If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor "dangling."

Extended Description

For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor's role, but SQL injection attacks are commonly possible.

Potential Mitigations

Close cursors immediately after access to them is complete. Ensure that you close cursors if exceptions occur.

Other Notes

The weakness can occur both as Primary and Resultant.

This issue is currently reported for unhandled exceptions, but it is theoretically possible any time the programmer does not close the cursor at the proper time.

Background Details

A cursor is a feature in Oracle PL/SQL and other languages that provides a handle for executing and accessing the results of SQL queries.

References
David Litchfield. "The Oracle Hacker's Handbook".
David Litchfield. "Cursor Injection". <http://www.databasesecurity.com/dbsec/cursor-injection.pdf>.
Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness BaseWeakness Base404Improper Resource Shutdown or Release
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness ClassWeakness Class402Transmission of Private Resources into a New Sphere (aka 'Resource Leak')
Development Concepts699
Research Concepts1000
PeerOfCategoryCategory265Privilege / Sandbox Issues
Research Concepts1000
PeerOfCategoryCategory388Error Handling
Research Concepts1000
Applicable Platforms
Languages
SQL
Time of Introduction
* Implementation
Content History
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Relationships, Other_Notes
CWE Content Team. MITRE. 2008-10-14. (Internal)
updated Background_Details, Description, Relationships
Previous Entry Names
* Dangling Database Cursor (Cursor Injection) (changed 2008-04-11)
Page Last Updated: November 24, 2008