SYM_JAVA_0081 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
User-controlled data is being passed directly to a ScriptEngine's eval() method, which allows dynamic code execution. This means attackers could inject and run arbitrary code if they control the input.
Impact
If exploited, an attacker could execute malicious code within your application's environment, potentially gaining unauthorized access, stealing data, or taking control of the server. This can lead to full system compromise and significant data breaches.