Common Weakness Enumeration

CWE-134

Allowed

Use of Externally-Controlled Format String

Abstraction: Base · Status: Draft

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

501 vulnerabilities reference this CWE, most recent first.

GHSA-HMPV-PVG5-4FPQ

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2025-10-22 00:32
VLAI
Details

Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug leading to kernel panic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-06T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug leading to kernel panic.",
  "id": "GHSA-hmpv-pvg5-4fpq",
  "modified": "2025-10-22T00:32:25Z",
  "published": "2022-05-24T19:16:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25489"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021\u0026month=10"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25489"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HP64-JG7M-F9MQ

Vulnerability from github – Published: 2022-05-02 00:05 – Updated: 2022-05-02 00:05
VLAI
Details

MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-3963"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-09-11T01:13:00Z",
    "severity": "MODERATE"
  },
  "details": "MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b\u0027\u0027 (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement.",
  "id": "GHSA-hp64-jg7m-f9mq",
  "modified": "2022-05-02T00:05:26Z",
  "published": "2022-05-02T00:05:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3963"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/237166"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45042"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10521"
    },
    {
      "type": "WEB",
      "url": "http://bugs.mysql.com/bug.php?id=35658"
    },
    {
      "type": "WEB",
      "url": "http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-66.html"
    },
    {
      "type": "WEB",
      "url": "http://dev.mysql.com/doc/refman/5.1/en/news-5-1-26.html"
    },
    {
      "type": "WEB",
      "url": "http://dev.mysql.com/doc/refman/6.0/en/news-6-0-6.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/31769"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32759"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32769"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/34907"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/36566"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2009/dsa-1783"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:094"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/09/09/4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/09/09/7"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2009-1067.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2009-1289.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1020858"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1397-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-671-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2554"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HPHW-V67P-V2G2

Vulnerability from github – Published: 2025-09-22 18:30 – Updated: 2025-09-22 18:30
VLAI
Details

IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-22T16:15:43Z",
    "severity": "HIGH"
  },
  "details": "IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source.",
  "id": "GHSA-hphw-v67p-v2g2",
  "modified": "2025-09-22T18:30:36Z",
  "published": "2025-09-22T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36202"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7245720"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HPVQ-MG46-42WP

Vulnerability from github – Published: 2022-05-01 06:53 – Updated: 2022-05-01 06:53
VLAI
Details

Multiple format string vulnerabilities in Empire Server before 4.3.1 allow attackers to cause a denial of service (crash) via the (1) load, (2) spy and (3) bomb functions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-1840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-04-19T16:06:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple format string vulnerabilities in Empire Server before 4.3.1 allow attackers to cause a denial of service (crash) via the (1) load, (2) spy and (3) bomb functions.",
  "id": "GHSA-hpvq-mg46-42wp",
  "modified": "2022-05-01T06:53:17Z",
  "published": "2022-05-01T06:53:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-1840"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25863"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/19674"
    },
    {
      "type": "WEB",
      "url": "http://sourceforge.net/project/shownotes.php?release_id=410001\u0026group_id=24031"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/24700"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/17585"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/1380"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HR7H-RPPP-W8X4

Vulnerability from github – Published: 2022-05-17 01:52 – Updated: 2022-05-17 01:52
VLAI
Details

Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-4357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-12-10T17:55:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.",
  "id": "GHSA-hr7h-rppp-w8x4",
  "modified": "2022-05-17T01:52:07Z",
  "published": "2022-05-17T01:52:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4357"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71599"
    },
    {
      "type": "WEB",
      "url": "http://code.google.com/p/clearsilver/source/detail?r=919"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/77419"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/47016"
    },
    {
      "type": "WEB",
      "url": "http://tech.groups.yahoo.com/group/ClearSilver/message/1422"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2011/dsa-2355"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/11/27/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HRFH-7J5F-8CCR

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2025-04-02 23:10
VLAI
Summary
Pivotal RabbitMQ is vulnerable to a denial of service attack
Details

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "RabbitMQ"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "3.7.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Hex",
        "name": "RabbitMQ"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.8.0"
            },
            {
              "fixed": "3.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Hex",
        "name": "RabbitMQ"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Hex",
        "name": "RabbitMQ"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.17.0"
            },
            {
              "fixed": "1.17.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-11287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T11:48:49Z",
    "nvd_published_at": "2019-11-23T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.",
  "id": "GHSA-hrfh-7j5f-8ccr",
  "modified": "2025-04-02T23:10:37Z",
  "published": "2022-05-24T17:01:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11287"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0078"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rabbitmq/rabbitmq-server"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2019-11287"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pivotal RabbitMQ is vulnerable to a denial of service attack"
}

GHSA-HVH3-476H-JJ48

Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31
VLAI
Details

A use of externally-controlled format string vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow an attacker to escalate its privileges via specially crafted requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-10T18:18:00Z",
    "severity": "HIGH"
  },
  "details": "A use of externally-controlled format string vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow an attacker to escalate its privileges via specially crafted requests.",
  "id": "GHSA-hvh3-476h-jj48",
  "modified": "2026-03-10T18:31:18Z",
  "published": "2026-03-10T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68648"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-092"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HW76-48P4-4G5C

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

The Bluetooth stack on the BMW 330i 2011 allows a remote crash of the CD/Multimedia software via %x or %c format string specifiers in a device name.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9212"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-23T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "The Bluetooth stack on the BMW 330i 2011 allows a remote crash of the CD/Multimedia software via %x or %c format string specifiers in a device name.",
  "id": "GHSA-hw76-48p4-4g5c",
  "modified": "2022-05-13T01:47:50Z",
  "published": "2022-05-13T01:47:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9212"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/__Obzy__/status/864704956116254720"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HWPJ-2V36-69R4

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:36
VLAI
Details

Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-13T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the \"hook\" URL parameter.",
  "id": "GHSA-hwpj-2v36-69r4",
  "modified": "2024-04-04T00:36:20Z",
  "published": "2022-05-24T16:45:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14713"
    },
    {
      "type": "WEB",
      "url": "https://blog.securityevaluators.com/asus-routers-overflow-with-vulnerabilities-b111bc1c8eb8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HXG7-68HM-96PC

Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2022-10-27 19:00
VLAI
Details

Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted UPnP negotiation can lead to memory corruption, information disclosure, and denial of service. An attacker can host a malicious UPnP service to trigger these vulnerabilities.This vulnerability arises from format string injection via controlURL XML tag, as used within the DoUpdateUPnPbyService action handler.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted UPnP negotiation can lead to memory corruption, information disclosure, and denial of service. An attacker can host a malicious UPnP service to trigger these vulnerabilities.This vulnerability arises from format string injection via `controlURL` XML tag, as used within the `DoUpdateUPnPbyService` action handler.",
  "id": "GHSA-hxg7-68hm-96pc",
  "modified": "2022-10-27T19:00:32Z",
  "published": "2022-10-25T19:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35879"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1583"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Choose a language that is not subject to this flaw.

Mitigation
Implementation

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Mitigation
Build and Compilation

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CAPEC-135: Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

CAPEC-67: String Format Overflow in syslog()

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.