SYM_JAVA_0062 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The code uses GroovyShell or GroovyClassLoader to execute dynamically built expressions, which may include untrusted or unsanitized input. This allows attackers to inject and run arbitrary Groovy code if the input is not properly validated.
Impact
If exploited, an attacker could execute malicious code on the server, leading to data theft, data loss, server compromise, or full control of the application environment. This can result in severe breaches, including unauthorized system access and data exposure.