- What is CWE-96?
- The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
- What CVEs are caused by CWE-96?
- 22 recorded CVEs are attributed to CWE-96, including CVE-2024-55877, CVE-2015-2079, CVE-2024-13264.
- How do you prevent CWE-96?
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- How is CWE-96 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-96?
- Exploiting CWE-96 can lead to: Read Files or Directories, Read Application Data, Bypass Protection Mechanism, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Hide Activities.
- Is CWE-96 actively exploited?
- 22 recorded CVEs are caused by CWE-96; none are currently in CISA's KEV catalog of actively exploited flaws.