CWE-621: Variable Extraction Error
Also known as: Variable overwrite
The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.
Last updated
Overview
For example, in PHP, extraction can be used to provide functionality similar to register_globals, a dangerous functionality that is frequently disabled in production systems. Calling extract() or import_request_variables() without the proper arguments could allow arbitrary global variables to be overwritten, including superglobals. Similar functionality is possible in other interpreted languages, including custom languages.
Real-world CVEs
1 recorded CVEs are caused by CWE-621 (Variable Extraction Error). The highest-severity and most recent are shown first.
Common consequences
What can happen when CWE-621 is exploited.
Modify Application Data
Affects: Integrity
An attacker could modify sensitive data or program variables.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.