logo

CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-95 Medium

  • Abstraction:
  • Variant
  • Structure:
  • Simple
  • Status:
  • Incomplete
Weakness Name

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

This may allow an attacker to execute arbitrary code, or at least modify what code can be executed.

Common Consequences

Scope: Confidentiality

Impact: Read Files or Directories, Read Application Data

Notes: The injected code could access restricted data / files.

Scope: Access Control

Impact: Bypass Protection Mechanism

Notes: In some cases, injectable code controls authentication; this may lead to a remote vulnerability.

Scope: Access Control

Impact: Gain Privileges or Assume Identity

Notes: Injected code can access resources that the attacker is directly prevented from accessing.

Scope: Integrity, Confidentiality, Availability, Other

Impact: Execute Unauthorized Code or Commands

Notes: Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.

Scope: Non-Repudiation

Impact: Hide Activities

Notes: Often the actions performed by injected control code are unlogged.

Related Weaknesses
  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2024-07-16

Free security scan for your website