- What is CWE-150?
- The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
- What CVEs are caused by CWE-150?
- 51 recorded CVEs are attributed to CWE-150, including CVE-2023-26055, CVE-2022-30123, CVE-2020-6932.
- How do you prevent CWE-150?
- Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
- How is CWE-150 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-150?
- Exploiting CWE-150 can lead to: Execute Unauthorized Code or Commands, Hide Activities, Unexpected State.
- Is CWE-150 actively exploited?
- 51 recorded CVEs are caused by CWE-150; none are currently in CISA's KEV catalog of actively exploited flaws.