CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection’)

The software constructs all or part of a command, data structure, or record using externally influenced input from an upstream component, but it does not neutralize or incorrectly neutralize special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Impact

Confidentiality

Many injection attacks involve the disclosure of important information - in terms of both data sensitivity and usefulness in further exploitation.

Access Control

In some cases, injectable code controls authentication; this may lead to a remote vulnerability.

Integrity

Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.

Non-Repudiation

Often the actions performed by injected control code are unlogged.

Other

Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.

Last updated