Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using spring:eval with dynamic expressions can allow untrusted data to be executed as code. If user input is not properly filtered, attackers might inject malicious expressions into your JSP pages.
Impact#
If exploited, an attacker could execute arbitrary code on the server, compromise sensitive data, or alter application behavior. This can lead to data breaches, unauthorized access, or complete system compromise.