CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-95 Medium
- Abstraction:
- Variant
- Structure:
- Simple
- Status:
- Incomplete
- Weakness Name
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
- Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
This may allow an attacker to execute arbitrary code, or at least modify what code can be executed.
- Common Consequences
Scope: Confidentiality
Impact: Read Files or Directories, Read Application Data
Notes: The injected code could access restricted data / files.
Scope: Access Control
Impact: Bypass Protection Mechanism
Notes: In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Scope: Access Control
Impact: Gain Privileges or Assume Identity
Notes: Injected code can access resources that the attacker is directly prevented from accessing.
Scope: Integrity, Confidentiality, Availability, Other
Impact: Execute Unauthorized Code or Commands
Notes: Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.
Scope: Non-Repudiation
Impact: Hide Activities
Notes: Often the actions performed by injected control code are unlogged.
- Related Weaknesses
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2024-07-16
Free security scan for your website