Security News > 2024 > July > CISA urges devs to weed out OS command injection vulnerabilities
CISA and the FBI urged software companies on Wednesday to review their products and eliminate path OS command injection vulnerabilities before shipping.
"OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS," today's joint advisory explains.
"OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command. Despite this finding, OS command injection vulnerabilities-many of which result from CWE-78-are still a prevalent class of vulnerability," CISA and the FBI added.
OS command injection security bugs took the fifth spot in MITRE's top 25 most dangerous software weaknesses, surpassed only by out-of-bounds write, cross-site scripting, SQL injection, and use-after-free flaws.
In May and March, two other "Secure by Design" alerts urged tech executives and software developers to weed out path traversal and SQL injection security vulnerabilities.
CISA urges software devs to weed out SQL injection vulnerabilities.
News URL
Related news
- CISA Adds Five-Year-Old jQuery XSS Flaw to Exploited Vulnerabilities List (source)
- CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25 (source)
- CISA Adds Four Vulnerabilities to Catalog for Federal Enterprise (source)
- Feds want devs to stop coding 'unforgivable' buffer overflow vulnerabilities (source)
- CISA Adds Palo Alto Networks and SonicWall Flaws to Exploited Vulnerabilities List (source)