Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code dynamically evaluates OGNL expressions using input that may come from untrusted sources. If these values are not properly validated or sanitized, attackers could inject malicious code into the expression and execute arbitrary commands.
Impact#
Exploiting this vulnerability could allow an attacker to execute arbitrary Java code on the server, access sensitive data, modify application behavior, or take full control of the application. This can lead to data breaches, system compromise, and significant harm to both users and the organization.