Seam log injection via dynamic expression evaluation

Description

Detected usage of string concatenation in Seam logging methods, which support expression evaluation via EL (Expression Language). This can lead to arbitrary expression execution if user input is not sanitized.

Examples

Insecure Code

java

log.info("Action performed by user: " + username);

Secure Code

java

log.info("Action performed by user: #0", username);

Remediation

Use positional arguments instead of string concatenation for logging

Rule Details

Field	Value
ID	CODE-0759
Category	Injection
Severity	CRITICAL
CWE	CWE-95
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	logging, injection
OWASP	A03:2021-Injection

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Seam log injection via dynamic expression evaluation

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Seam log injection via dynamic expression evaluation ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Seam log injection via dynamic expression evaluation

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details