CWE-74βImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
PUBLISHEDweakness recordHigh
released 2006-07-19 Β· last modified 2026-04-30
Metadata
- CWE ID:
- CWE-74
- Abstraction:
- Class
- Structure:
- Simple
- Status:
- Incomplete
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2026-04-30
Weakness Name
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Description
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Common Consequences
- Scope:
- Confidentiality
- Impact:
- Read Application Data
- Notes:
- Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
- Scope:
- Access Control
- Impact:
- Bypass Protection Mechanism
- Notes:
- In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
- Scope:
- Other
- Impact:
- Alter Execution Logic
- Notes:
- Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
- Scope:
- Integrity, Other
- Impact:
- Other
- Notes:
- Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
- Scope:
- Non-Repudiation
- Impact:
- Hide Activities
- Notes:
- Often the actions performed by injected control code are unlogged.