CWE-134: Use of Externally-Controlled Format String

low-risk

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Abstraction: Base

Common Consequences

Confidentiality Read Memory
Integrity Modify Memory

Detection Methods

Automated Static Analysis

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.

Black Box

Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.

Automated Static Analysis - Binary or Bytecode

According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode simple extractor - strings, ELF readers, etc.

Manual Static Analysis - Binary or Bytecode

According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Automated Results Interpretation

According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners

Dynamic Analysis with Manual Results Interpretation

According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Fuzz Tester Framework-based Fuzzer

Manual Static Analysis - Source Code

According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source

Automated Static Analysis - Source Code

According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags

Architecture or Design Review

According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

Real-World Examples (10)

CVE CVSS EPSS KEV
CVE-2019-1579 8.1 92.9% Y
CVE-2019-1579 8.1 92.9% Y
CVE-2020-13160 9.8 82.4%
CVE-2023-35086 7.2 75.1%
CVE-2018-6317 9.1 72.7%
CVE-2024-23113 9.8 57.5% Y
CVE-2015-8617 9.8 27.1%
CVE-2014-6262 7.5 22.6%
CVE-2018-10388 9.8 18.2%
CVE-2017-16608 9.8 13.5%
7
/ 100
low-risk
Active Threat 5/50 · Minimal
Exploit Availability 2/50 · Minimal