CWE-627 – Dynamic Variable Evaluation | Common Weakness Enumeration（CWE）

概要

CWE-627（Dynamic Variable Evaluation）は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。

セキュリティへの影響: セキュリティ影響：製品や文脈に依存します。CVE 記録、深刻度、MITRE の説明を参照して優先度を判断してください。

説明

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.

背景の詳細

CWE カタログからの補足説明（MITRE XHTML を基に表示）。

Many interpreted languages support the use of a "$$varname" construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as "variable variables." Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2).

適用プラットフォーム

種別	名称	クラス	普遍性	OS / CPE
language	PHP	—	Undetermined	—
language	Perl	—	Undetermined	—

このデータベースの関連 CVE

これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。

CVE	公開	概要
CVE-2026-2452	2026-02-16	Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final…
CVE-2026-2451	2026-02-16	Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final…
CVE-2026-2415	2026-02-16	Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final…
CVE-2024-8953	2025-03-20	In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted in…
CVE-2023-31032	2024-01-12	NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a dynamic variable evaluation by local access. A successful exploit of this vulnerability may lead to denial of service.

コンテンツ投稿

名称: CWE Content Team
組織: MITRE
日付: 2007-05-07
バージョン: Draft 6

コンテンツの変更履歴

日付	名称	バージョン	重要度	コメント
2008-07-01	Eric Dalci	1.0	—	updated Time_of_Introduction
2008-09-08	CWE Content Team	1.0	—	updated Applicable_Platforms, Relationships
2008-10-14	CWE Content Team	1.0.1	—	updated Background_Details, Description
2011-03-29	CWE Content Team	1.12	—	updated Description
2011-06-01	CWE Content Team	1.13	—	updated Common_Consequences
2012-05-11	CWE Content Team	2.2	—	updated Common_Consequences, Relationships
2012-10-30	CWE Content Team	2.3	—	updated Potential_Mitigations
2013-02-21	CWE Content Team	2.4	—	updated Common_Consequences, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities
2014-07-30	CWE Content Team	2.8	—	updated Relationships
2017-11-08	CWE Content Team	3.0	—	updated References
2020-02-24	CWE Content Team	4.0	—	updated Relationships
2020-06-25	CWE Content Team	4.1	—	updated Potential_Mitigations
2023-04-27	CWE Content Team	4.11	—	updated References, Relationships, Type
2023-06-29	CWE Content Team	4.12	—	updated Mapping_Notes