Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-619: Dangling Database Cursor ('Cursor Injection')

Weakness ID: 619
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor "dangling."

Extended Description

For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor's role, but SQL injection attacks are commonly possible.

+ Time of Introduction
  • Implementation
+ Applicable Platforms



+ Modes of Introduction

This issue is currently reported for unhandled exceptions, but it is theoretically possible any time the programmer does not close the cursor at the proper time.

+ Common Consequences

Technical Impact: Read application data; Modify application data

+ Potential Mitigations

Phase: Implementation

Close cursors immediately after access to them is complete. Ensure that you close cursors if exceptions occur.

+ Background Details

A cursor is a feature in Oracle PL/SQL and other languages that provides a handle for executing and accessing the results of SQL queries.

+ Weakness Ordinalities

This could be primary when the programmer never attempts to close the cursor when finished with it.

(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class402Transmission of Private Resources into a New Sphere ('Resource Leak')
Development Concepts699
Research Concepts1000
ChildOfWeakness BaseWeakness Base404Improper Resource Shutdown or Release
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory990SFP Secondary Cluster: Tainted Input to Command
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfCategoryCategory265Privilege / Sandbox Issues
Research Concepts1000
PeerOfCategoryCategory388Error Handling
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
Software Fault PatternsSFP24Tainted input to command
+ References
David Litchfield. "The Oracle Hacker's Handbook".
David Litchfield. "Cursor Injection". <>.
+ Content History
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes
2008-10-14CWE Content TeamMITREInternal
updated Background_Details, Description, Relationships
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-10-29CWE Content TeamMITREInternal
updated Modes_of_Introduction, Other_Notes, Weakness_Ordinalities
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Dangling Database Cursor (Cursor Injection)
2009-05-27Dangling Database Cursor (aka 'Cursor Injection')

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017