CWE-94 - Improper Control of Generation of Code ('Code Injection')


Existence of code syntax in the users data increases attacker's possibility to change the planned control conduct and execute arbitrary code.
These weaknesses are called "injection weaknesses" and have their specific features. Under the influence of injection weaknesses data control can become user-controlled. It means that any process, carried out by the machine, can be changed by sending new code through legal data canals with no using additional computers.While buffer overflows and other problems are mostly associated with execution, injection problems are used only for data analysed.
The most usual examples of "injection weaknesses" are SQL injection and format string vulnerabilities.
The weakness is introduced during Architecture and Design, Implementation stages.

Latest vulnerabilities for CWE-94


Description of CWE-94 on Mitre website