Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-470:Expanding Control over the Operating System from the Database
Attack Pattern ID:470
Version:v3.9
Attack Pattern Name:Expanding Control over the Operating System from the Database
Abstraction:Detailed
Status:Draft
Likelihood of Attack:
Typical Severity:Very High
DetailsContent HistoryRelated WeaknessesReports
2Weaknesses found
CWE-250
Execution with Unnecessary Privileges
ShareView Details
Execution with Unnecessary Privileges
Likelihood of Exploit-Medium
Mapping-Allowed
Abstraction-Base
Found in219CVEs

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Impacts-
Read Application DataDoS: Crash, Exit, or RestartExecute Unauthorized Code or CommandsGain Privileges or Assume Identity
Tags-
Medium exploitEnvironment HardeningSeparation of PrivilegeAttack Surface ReductionMobile (technology class)Execute Unauthorized Code or Commands (impact)DoS: Crash, Exit, or Restart (impact)Read Application Data (impact)Gain Privileges or Assume Identity (impact)
As Seen In-
CWE Cross-section
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ShareView Details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Likelihood of Exploit-High
Mapping-Allowed
Abstraction-Base
Found in16270CVEs

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Impacts-
Read Application DataExecute Unauthorized Code or CommandsGain Privileges or Assume IdentityBypass Protection MechanismModify Application Data
Tags-
SQLDatabase ServerHigh exploitEnvironment HardeningLibraries or FrameworksInput ValidationParameterizationOutput EncodingFirewallEnforcement by ConversionExecute Unauthorized Code or Commands (impact)Bypass Protection Mechanism (impact)Modify Application Data (impact)Read Application Data (impact)Gain Privileges or Assume Identity (impact)
As Seen In-
2019 CWE Top 25 Most Dangerous Software Errors2021 CWE Top 25 Most Dangerous SoftwareCISQ Data Protection Measures2020 CWE Top 25 Most Dangerous Software2022 CWE Top 25 Most Dangerous Software2023 CWE Top 25 Most Dangerous Software2024 CWE Top 25 Most Dangerous SoftwareOriginally Used by NVD from 2008 to 2016CWE Cross-section