CWE-94Improper Control of Generation of Code ('Code Injection')

PUBLISHEDweakness recordMedium
released 2006-07-19 · last modified 2026-04-30
CWE-94 - Improper Control of Generation of Code ('Code Injection') - Diagram

Metadata

CWE ID:
CWE-94
摘要:
Base
结构:
Simple
状态:
Draft
发布日期:
2006-07-19
更新日期:
2026-04-30

名称

Improper Control of Generation of Code ('Code Injection')

描述

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

常见后果

范围:
Access Control
影响:
Bypass Protection Mechanism
注释:
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
范围:
Access Control
影响:
Gain Privileges or Assume Identity
注释:
Injected code can access resources that the attacker is directly prevented from accessing.
范围:
Integrity, Confidentiality, Availability
影响:
Execute Unauthorized Code or Commands
注释:
When a product allows a user's input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the product. As a result, code injection can often result in the execution of arbitrary code. Code injection attacks can also lead to loss of data integrity in nearly all cases, since the control-plane data injected is always incidental to data recall or writing.
范围:
Non-Repudiation
影响:
Hide Activities
注释:
Often the actions performed by injected control code are unlogged.

相关 CWE

相关警报