CWE WEAKNESSES / CWE-123
CWE-123
Write-what-where Condition
Base EXPLOIT LIKELIHOOD: HIGH
What it is
Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
Impact
| Integrity, Confidentiality, Availability, Access Control | Modify Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, DoS: Crash, Exit, or Restart, Bypass Protection Mechanism |
| Integrity, Availability | DoS: Crash, Exit, or Restart, Modify Memory |
| Access Control, Other | Bypass Protection Mechanism, Other |
Mitigations
- [Architecture and Design] Use a language that provides appropriate memory abstractions.
- [Operation] Use OS-level preventative functionality integrated after the fact. Not a complete solution.
Real-world CVE examples
- CVE-2019-19911 — Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory cons
- CVE-2022-0545 — Chain: 3D renderer has an integer overflow (CWE-190) leading to write-what-where condition (CWE-123) using a crafted image.
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →