CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

PUBLISHEDweakness recordHigh
released 2006-07-19 · last modified 2026-04-30
CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - Diagram

Metadata

CWE ID:
CWE-74
摘要:
Class
结构:
Simple
状态:
Incomplete
发布日期:
2006-07-19
更新日期:
2026-04-30

名称

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

描述

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

常见后果

范围:
Confidentiality
影响:
Read Application Data
注释:
Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
范围:
Access Control
影响:
Bypass Protection Mechanism
注释:
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
范围:
Other
影响:
Alter Execution Logic
注释:
Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
范围:
Integrity, Other
影响:
Other
注释:
Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
范围:
Non-Repudiation
影响:
Hide Activities
注释:
Often the actions performed by injected control code are unlogged.

相关 CWE

相关警报