VariantIncomplete

CWE-621Variable Extraction Error

Category: other

Description

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

Common consequences· 1

  • Integrity — Modify Application Data
    An attacker could modify sensitive data or program variables.

Potential mitigations· 3

  • [Implementation]Use allowlists of variable names that can be extracted.
  • [Implementation]Consider refactoring your code to avoid extraction routines altogether.
  • [Implementation]In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.

References

  1. https://cwe.mitre.org/data/definitions/621.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Missing Initialization of a Variable
CWE
Generation of Error Message Containing Sensitive Information
CWE
Improper Handling of Undefined Parameters
CWE
Improper Handling of Parameters
CWE
Improper Input Validation
CWE
Function Call With Incorrect Variable or Reference as Argument
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.