CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- Abstraction:Class
- Structure:Simple
- Status:Incomplete
- Release Date:2006-07-19
- Latest Modification Date:2026-04-30
Weakness Name
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Description
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Common Consequences
Scope: Confidentiality
Impact: Read Application Data
Notes: Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
Scope: Access Control
Impact: Bypass Protection Mechanism
Notes: In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Scope: Other
Impact: Alter Execution Logic
Notes: Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
Scope: Integrity, Other
Impact: Other
Notes: Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
Scope: Non-Repudiation
Impact: Hide Activities
Notes: Often the actions performed by injected control code are unlogged.