CWE-917 表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: unkown
基本描述
The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 77 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 77 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Application Data | |
| Integrity | Execute Unauthorized Code or Commands |