Potential format string vulnerability
Description
Format string vulnerabilities allow an attacker to read or in some cases, potentially write data to and from locations in the processes' memory. To prevent against format string attacks, do not allow users or un-validated input to provide the format specification. Consider using a constant for the format specification, or only allow specific characters to be provided to the format argument for the `fprintf` family of functions.
Examples
Insecure Code
c
fprintf(fd, user_input);Secure Code
c
fprintf(fd, "Hello, %s!", user_input);Remediation
Use a constant format string or validate user input to prevent format string attacks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0589 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-134 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | format string vulnerability, injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |