SYM_JAVA_0146 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code constructs and evaluates Spring expressions (SpEL) using dynamic input values without properly validating or filtering them. This allows untrusted data to be directly executed as code within the application.
Impact
If exploited, an attacker could inject malicious expressions that are executed by the application, potentially leading to unauthorized access, data theft, or full system compromise. This can result in severe breaches, including leaking sensitive information or remote code execution.