CWE-913: Improper Control of Dynamically-Managed Code Resources

Description

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Extended Description

Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.

ThreatScore

Threat Mapped score: 1.8

Industry: Finiancial

Threat priority: P4 - Informational (Low)

Observed Examples (CVEs)

CVE: CVE-2022-2054

Python compiler uses eval() to execute malicious strings as Python code.
CVE: CVE-2018-1000613

Cryptography API uses unsafe reflection when deserializing a private key
CVE: CVE-2015-8103

Deserialization issue in commonly-used Java library allows remote execution.
CVE: CVE-2006-7079

Chain: extract used for register_globals compatibility layer, enables path traversal (CWE-22)
CVE: CVE-2012-2055

Source version control product allows modification of trusted key using mass assignment.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Architecture and Design	N/A
Implementation	N/A

Common Consequences

Impact: Execute Unauthorized Code or Commands — Notes:
Impact: Varies by Context, Alter Execution Logic — Notes:

Potential Mitigations

Implementation: For any externally-influenced input, check the input against an allowlist of acceptable values. (N/A)
Implementation: Refactor the code so that it does not need to be dynamically managed. (N/A)

Applicable Platforms

None listed.

Demonstrative Examples

N/A

Notes

No notes available.

← Back to CWE list