CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- 摘要:Class
- 结构:Simple
- 状态:Incomplete
- 发布日期:2006-07-19
- 更新日期:2026-04-30
名称
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
描述
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
常见后果
范围:Confidentiality
影响:Read Application Data
注释:Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
范围:Access Control
影响:Bypass Protection Mechanism
注释:In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
范围:Other
影响:Alter Execution Logic
注释:Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
范围:Integrity, Other
影响:Other
注释:Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
范围:Non-Repudiation
影响:Hide Activities
注释:Often the actions performed by injected control code are unlogged.