CWE-94—Improper Control of Generation of Code ('Code Injection')
PUBLISHEDweakness recordMedium
released 2006-07-19 · last modified 2026-04-30
Metadata
- CWE ID:
- CWE-94
- 摘要:
- Base
- 结构:
- Simple
- 状态:
- Draft
- 发布日期:
- 2006-07-19
- 更新日期:
- 2026-04-30
名称
Improper Control of Generation of Code ('Code Injection')
描述
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
常见后果
- 范围:
- Access Control
- 影响:
- Bypass Protection Mechanism
- 注释:
- In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
- 范围:
- Access Control
- 影响:
- Gain Privileges or Assume Identity
- 注释:
- Injected code can access resources that the attacker is directly prevented from accessing.
- 范围:
- Integrity, Confidentiality, Availability
- 影响:
- Execute Unauthorized Code or Commands
- 注释:
- When a product allows a user's input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the product. As a result, code injection can often result in the execution of arbitrary code. Code injection attacks can also lead to loss of data integrity in nearly all cases, since the control-plane data injected is always incidental to data recall or writing.
- 范围:
- Non-Repudiation
- 影响:
- Hide Activities
- 注释:
- Often the actions performed by injected control code are unlogged.