Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code uses GroovyShell or GroovyClassLoader to execute dynamically built expressions, which may include untrusted or unsanitized input. This allows attackers to inject and run arbitrary Groovy code if the input is not properly validated.
Impact#
If exploited, an attacker could execute malicious code on the server, leading to data theft, data loss, server compromise, or full control of the application environment. This can result in severe breaches, including unauthorized system access and data exposure.