CVEbaza.plCWE DictionaryCWE-242
Common Weakness Enumeration

CWE-242

Use of Inherently Dangerous Function

Category: BaseCVE: 10
Description

The product calls a function that can never be guaranteed to work safely.

Extended Description

Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.

CVE vulnerabilities with CWE-242 (10)
9.8
CVSS
CRITICAL
CVE-2017-1002157

modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution.

pub. 2019-01-10
9.2
CVSS
CRITICAL
CVE-2024-52324

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x uses an inherently dangerous function which could allow an attacker to send a malicious MQTT message resulting in devices executing arbitrary OS commands.

pub. 2024-12-06
8.8
CVSS
HIGH
CVE-2026-6477

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

pub. 2026-05-14
8.8
CVSS
HIGH
CVE-2025-49215

A post-auth SQL injection vulnerability in the Trend Micro Endpoint Encryption PolicyServer could allow an attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.

pub. 2025-06-17
8.8
CVSS
HIGH
CVE-2022-36310

Airspan AirVelocity 1500 software prior to version 15.18.00.2511 had NET-SNMP-EXTEND-MIB enabled on its snmpd service, enabling an attacker with SNMP write abilities to execute commands as root on the eNodeB. This issue may affect other AirVelocity and AirSpeed models.

pub. 2022-08-16
8.1
CVSS
HIGH
CVE-2017-0904

The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery.

pub. 2017-11-13
7.8
CVSS
HIGH
CVE-2025-1994

IBM Cognos Command Center 10.2.4.1 and 10.2.5 could allow a local user to execute arbitrary code on the system due to the use of unsafe use of the BinaryFormatter function.

pub. 2025-08-26
7.8
CVSS
HIGH
CVE-2025-1331

IBM CICS TX Standard 11.1 and IBM CICS TX Advanced 10.1 and 11.1 could allow a local user to execute arbitrary code on the system due to the use of unsafe use of the gets function.

pub. 2025-05-08
7.8
CVSS
HIGH
CVE-2021-42543

The affected application uses specific functions that could be abused through a crafted project file, which could lead to code execution, system reboot, and system shutdown.

pub. 2021-11-05
7.4
CVSS
HIGH
CVE-2021-40698

ColdFusion version 2021 update 1 (and earlier) and versions 2018.10 (and earlier) are impacted by an Use of Inherently Dangerous Function vulnerability that can lead to a security feature bypass  . An authenticated attacker could leverage this vulnerability to access and manipulate arbitrary data on the environment.

pub. 2023-09-07
Information
ID: CWE-242
Type: Base
Vulnerabilities: 10
MITRE CWE ↗
← CWE Dictionary