Improper Neutralization of Equivalent Special Elements

CWE-76

CVSS severity (NVD, All Time)

Per technology (GHSA, All time)

100%-Nuget

Short description

The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.

Extended description

The product may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the product may filter out a leading slash (/) to prevent absolute path names, but does not account for a tilde (~) followed by a user name, which on some *nix systems could be expanded to an absolute pathname. Alternately, the product might filter a dangerous "-e" command-line switch when calling an external program, but it might not account for "--exec" or other switches that have the same semantics.

Best practices to prevent this CWE

Phase: Requirements

Programming languages and supporting technologies might be chosen which are not subject to these issues.

Phase: Implementation

Utilize an appropriate mix of allowlist and denylist parsing to filter equivalent special element syntax from all input.

Recently published CVEs

CVE-2024-2952
CVE-2023-1149

Recently published GHSA

GHSA-56xg-wfcc-g829
GHSA-46cm-pfwv-cgf8
GHSA-33gv-rvgq-gpxp

Prioritize and Uncover Reachable Vulnerabilities in Your Application Code

Identify externally reachable data flows and vulnerabilities for effective risk mitigation

Get a Demo