CWE-74—Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
PUBLISHEDweakness recordHigh
released 2006-07-19 · last modified 2026-04-30
Metadata
- CWE ID:
- CWE-74
- 摘要:
- Class
- 结构:
- Simple
- 状态:
- Incomplete
- 发布日期:
- 2006-07-19
- 更新日期:
- 2026-04-30
名称
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
描述
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
常见后果
- 范围:
- Confidentiality
- 影响:
- Read Application Data
- 注释:
- Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
- 范围:
- Access Control
- 影响:
- Bypass Protection Mechanism
- 注释:
- In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
- 范围:
- Other
- 影响:
- Alter Execution Logic
- 注释:
- Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
- 范围:
- Integrity, Other
- 影响:
- Other
- 注释:
- Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
- 范围:
- Non-Repudiation
- 影响:
- Hide Activities
- 注释:
- Often the actions performed by injected control code are unlogged.