Scope | Impact | Likelihood |
---|---|---|
Integrity Confidentiality Availability Other | Execute Unauthorized Code or Commands, Alter Execution Logic Note: The attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state. | |
Availability Other | DoS: Crash, Exit, or Restart, Other Note: The attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API (CWE-227). This could cause the product to exit or hang. | |
Confidentiality | Read Application Data Note: By causing the wrong code to be invoked, the attacker might be able to trigger a runtime error that leaks sensitive information in the error message, such as CWE-536. |
References | Description |
---|---|
CVE-2018-1000613 | Cryptography API uses unsafe reflection when deserializing a private key |
CVE-2004-2331 | Database system allows attackers to bypass sandbox restrictions by using the Reflection API. |
CAPEC-ID | Attack Pattern Name |
---|---|
CAPEC-138 | Reflection Injection An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application. |
Name | Organization | Date | Date release | Version |
---|---|---|---|---|
7 Pernicious Kingdoms | Draft 3 |
Name | Organization | Date | Comment |
---|---|---|---|
Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | |
KDM Analytics | added/updated white box definitions | ||
CWE Content Team | MITRE | updated Description, Relationships, Other_Notes, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes | |
CWE Content Team | MITRE | updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Observed_Examples, Potential_Mitigations | |
CWE Content Team | MITRE | updated Demonstrative_Examples, Name | |
CWE Content Team | MITRE | updated Alternate_Terms, Relationships | |
CWE Content Team | MITRE | updated Demonstrative_Examples | |
CWE Content Team | MITRE | updated Common_Consequences, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated White_Box_Definitions | |
CWE Content Team | MITRE | updated Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated References, Relationships | |
CWE Content Team | MITRE | updated Potential_Mitigations | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Common_Consequences, Demonstrative_Examples, Description, Related_Attack_Patterns, Relationships | |
CWE Content Team | MITRE | updated Detection_Factors, Relationships | |
CWE Content Team | MITRE | updated Mapping_Notes | |
CWE Content Team | MITRE | updated Observed_Examples |