Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-470: Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code uses Class.forName with a class name that can be influenced by user input. This allows attackers to control which classes are loaded at runtime, leading to unexpected or unsafe application behavior.
Impact#
An attacker could load arbitrary classes, potentially bypassing security checks, executing unauthorized code, or causing the application to malfunction. This could lead to privilege escalation, data exposure, or compromise of the application’s integrity.