Improper Control of Generation of Code (‘Code Injection’)

Property
Languagejava
Severitymedium
CWECWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

The code builds and evaluates expressions using unvalidated or dynamic input, such as with ExpressionFactory in Java. This allows user-supplied data to control what gets executed, making the application vulnerable to code injection.

Impact

If exploited, an attacker could inject malicious expressions or code, leading to unauthorized actions, data exposure, or complete compromise of the server. This could let attackers run arbitrary operations in your application’s context, risking data integrity and system security.

Improper Control of Generation of Code (‘Code Injection’)

Property
Languagejava
Severitymedium
CWECWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

The code constructs and evaluates Spring expressions (SpEL) using dynamic input values without properly validating or filtering them. This allows untrusted data to be directly executed as code within the application.

Impact

If exploited, an attacker could inject malicious expressions that are executed by the application, potentially leading to unauthorized access, data theft, or full system compromise. This can result in severe breaches, including leaking sensitive information or remote code execution.

Improper Control of Generation of Code (‘Code Injection’)

Property
Languagejavascript
Severitylow
CWECWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

User-supplied data is being executed as code within a sandbox environment without proper validation. This allows attackers to inject and run arbitrary code if user input is not carefully controlled.

Impact

If exploited, an attacker could execute malicious code in the sandbox, potentially accessing sensitive information, escalating privileges, or disrupting application functionality. This could lead to data breaches or compromise the integrity of the application.

Improper Control of Generation of Code (‘Code Injection’)

Property
Languagejavascript
Severitymedium
CWECWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASPA03:2021 - Injection
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

Untrusted user input is being passed directly into the ‘sandbox’ library for code execution. This allows attackers to inject and run arbitrary code inside the sandbox, bypassing intended security controls.

Impact

If exploited, an attacker could execute malicious code on the server, potentially gaining access to sensitive data, manipulating application behavior, or compromising system integrity. This could lead to data breaches, service disruption, or further attacks on your infrastructure.

Improper Control of Generation of Code (‘Code Injection’)

Property
Languagejavascript
Severitymedium
CWECWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASPA03:2021 - Injection
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

User input from HTTP requests is being passed directly into vm2 for code execution without proper validation or sanitization. This allows untrusted data to influence what code is run inside the virtual machine.

Impact

If exploited, attackers could execute arbitrary code within the vm2 sandbox, potentially bypassing sandbox restrictions, stealing sensitive data, escalating privileges, or disrupting service. This puts the entire application and its data at risk.

Improper Control of Generation of Code (‘Code Injection’)

Property
Languagejavascript
Severitymedium
CWECWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASPA03:2021 - Injection
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

User input from HTTP requests is being passed directly to Node.js’s ‘vm’ module functions without validation. This allows attackers to inject and execute arbitrary JavaScript code within your server.

Impact

If exploited, an attacker could run malicious code with the application’s privileges, potentially accessing sensitive data, modifying server behavior, or taking control of the entire server. This can lead to data breaches, service disruption, or complete system compromise.

Improper Control of Generation of Code (‘Code Injection’)

Property
Languagejavascript
Severitylow
CWECWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Accessing and invoking object methods dynamically using non-static or user-provided values can allow attackers to execute unauthorized functions. This is risky if the method name comes from user input or other untrusted sources.

Impact

If exploited, an attacker could call arbitrary functions within your application, potentially leading to code execution, data leaks, or unauthorized actions. This can compromise the application’s integrity and expose sensitive data or functionality.

Improper Control of Generation of Code (‘Code Injection’)

Property
Languagejavascript
Severitymedium
CWECWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASPA03:2021 - Injection
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

Using the Node.js ‘vm’ module to execute code that includes user input is unsafe, as it allows attackers to inject and run arbitrary JavaScript. This occurs when untrusted data is passed to ‘vm’ functions like runInContext or compileFunction.

Impact

If exploited, an attacker could execute malicious code on your server, potentially accessing sensitive data, modifying application behavior, or compromising the entire system. This can lead to data breaches, service disruption, and further attacks within your environment.

Improper Control of Generation of Code (‘Code Injection’)

Property
Languagejavascript
Severitylow
CWECWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

User-supplied input is passed directly to the toFastProperties function from Bluebird, which internally uses eval(). This allows execution of arbitrary code if the input is not properly validated or sanitized.

Impact

If exploited, an attacker could run malicious code on your server, potentially gaining unauthorized access, stealing sensitive data, or taking control of the application. This kind of vulnerability can lead to complete system compromise and data breaches.

Improper Control of Generation of Code (‘Code Injection’)

Property
Languagejavascript
Severitymedium
CWECWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

Untrusted user input is being passed directly into the vm2 sandbox for execution. This allows users to inject and run arbitrary code inside the sandbox, which is risky if their data isn’t properly validated or sanitized.

Impact

If exploited, an attacker could execute malicious code within the vm2 sandbox, potentially bypassing security controls, accessing sensitive data, or causing the application to behave unexpectedly. This could lead to data leaks, unauthorized actions, or compromise of the server environment depending on vm2 configuration.