CVEbaza.plSłownik CWECWE-242
Common Weakness Enumeration

CWE-242

Use of Inherently Dangerous Function

Kategoria: BaseCVE: 10
Opis

Produkt wywołuje funkcję, której bezpieczne działanie nigdy nie może być gwarantowane. Taka funkcja zawiera nieuniknionych zagrożeń bezpieczeństwa, niezależnie od sposobu jej użycia.

Description (EN)

The product calls a function that can never be guaranteed to work safely.

Podatności CVE z CWE-242 (10)
9.8
CVSS
CRITICAL
CVE-2017-1002157

modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution.

pub. 2019-01-10
9.2
CVSS
CRITICAL
CVE-2024-52324

Podatność w Ruijie Reyee OS umożliwia atakującemu zdalne wykonanie dowolnych poleceń systemowych (RCE) poprzez wysłanie złośliwej wiadomości MQTT. Ze względu na brak wymagań uwierzytelnienia i krytyczny poziom CVSS 9.2, stanowi poważne zagrożenie dla urządzeń sieciowych opartych na tym systemie.

pub. 2024-12-06
8.8
CVSS
HIGH
CVE-2026-6477

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

pub. 2026-05-14
8.8
CVSS
HIGH
CVE-2025-49215

A post-auth SQL injection vulnerability in the Trend Micro Endpoint Encryption PolicyServer could allow an attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.

pub. 2025-06-17
8.8
CVSS
HIGH
CVE-2022-36310

Airspan AirVelocity 1500 software prior to version 15.18.00.2511 had NET-SNMP-EXTEND-MIB enabled on its snmpd service, enabling an attacker with SNMP write abilities to execute commands as root on the eNodeB. This issue may affect other AirVelocity and AirSpeed models.

pub. 2022-08-16
8.1
CVSS
HIGH
CVE-2017-0904

The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery.

pub. 2017-11-13
7.8
CVSS
HIGH
CVE-2025-1994

IBM Cognos Command Center 10.2.4.1 and 10.2.5 could allow a local user to execute arbitrary code on the system due to the use of unsafe use of the BinaryFormatter function.

pub. 2025-08-26
7.8
CVSS
HIGH
CVE-2025-1331

IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1 could allow a local user to execute arbitrary code on the system due to the use of unsafe use of the gets function.

pub. 2025-05-08
7.8
CVSS
HIGH
CVE-2021-42543

The affected application uses specific functions that could be abused through a crafted project file, which could lead to code execution, system reboot, and system shutdown.

pub. 2021-11-05
7.4
CVSS
HIGH
CVE-2021-40698

ColdFusion version 2021 update 1 (and earlier) and versions 2018.10 (and earlier) are impacted by an Use of Inherently Dangerous Function vulnerability that can lead to a security feature bypass  . An authenticated attacker could leverage this vulnerability to access and manipulate arbitrary data on the environment.

pub. 2023-09-07
Informacje
ID: CWE-242
Typ: Base
Podatności: 10
MITRE CWE ↗
← Słownik CWE