SYM_JAVA_0093 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code builds and evaluates expressions using unvalidated or dynamic input, such as with ExpressionFactory in Java. This allows user-supplied data to control what gets executed, making the application vulnerable to code injection.
Impact
If exploited, an attacker could inject malicious expressions or code, leading to unauthorized actions, data exposure, or complete compromise of the server. This could let attackers run arbitrary operations in your application's context, risking data integrity and system security.