1. Home
  2. Weaknesses
  3. CWE-470

CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

ID CWE-470
Abstraction Base
Structure Simple
Status Draft
Number of CVEs 26
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product's classpath (CWE-427) or add new entries to the product's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product.

Modes of Introduction

Phase Note
Architecture and Design
Implementation

Applicable Platforms

Type Class Name Prevalence
Language Java
Language PHP
Language Interpreted

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-913 Improper Control of Dynamically-Managed Code Resources Class Simple Incomplete
CWE-1003 Weaknesses for Simplified Mapping of Published Vulnerabilities Incomplete CWE-913 Improper Control of Dynamically-Managed Code Resources Class Simple Incomplete
CWE-1000 Research Concepts Draft CWE-610 Externally Controlled Reference to a Resource in Another Sphere Class Simple Draft
CWE-700 Seven Pernicious Kingdoms Incomplete CWE-20 Improper Input Validation Class Simple Stable

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-138 Reflection Injection CWE-470

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date