CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-913: Improper Control of Dynamically-Managed Code Resources

Weakness ID: 913
Abstraction: Class
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Extended Description

Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences
ScopeEffect
Integrity

Technical Impact: Execute unauthorized code or commands

Other
Integrity

Technical Impact: Varies by context; Alter execution logic

+ Potential Mitigations

Phase: Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against a white list of acceptable values.

Phases: Implementation; Architecture and Design

Strategy: Refactoring

Refactor the code so that it does not need to be dynamically managed.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory505Intentionally Introduced Weakness
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class664Improper Control of a Resource Through its Lifetime
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ParentOfWeakness ClassWeakness Class94Improper Control of Generation of Code ('Code Injection')
Research Concepts1000
ParentOfWeakness BaseWeakness Base470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant502Deserialization of Untrusted Data
Development Concepts (primary)699
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ParentOfWeakness BaseWeakness Base914Improper Control of Dynamically-Identified Variables
Development Concepts (primary)699
Research Concepts1000
ParentOfWeakness BaseWeakness Base915Improperly Controlled Modification of Dynamically-Determined Object Attributes
Development Concepts (primary)699
Research Concepts (primary)1000
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2013-01-26MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2015-12-07CWE Content TeamMITREInternal
updated Relationships
2017-01-19CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017