Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using dynamic values in Seam Logging API messages can allow untrusted input to be evaluated as code. If user-supplied data is inserted directly into log messages, it may lead to unintended code execution.
Impact#
An attacker could inject malicious expressions into log messages, potentially executing arbitrary code on the server. This can lead to full system compromise, data breaches, or unauthorized actions within the application.