SYM_JAVA_0133 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using dynamic values in Seam Logging API messages can allow untrusted input to be evaluated as code. If user-supplied data is inserted directly into log messages, it may lead to unintended code execution.
Impact
An attacker could inject malicious expressions into log messages, potentially executing arbitrary code on the server. This can lead to full system compromise, data breaches, or unauthorized actions within the application.