The java.io package includes a PrintStream class that has two equivalent formatting methods methods: format() and printf(). System.out is a PrintStream object and System.err are PrintStream objects, allowing PrintStream methods to be invoked on the standard output streamand error streams. The risks from using these methods are not as high as from using similar functions in C or C++ [Seacord 2013]. The standard library implementations throw an exception when any conversion argument fails to match the corresponding format specifier. Although this helps mitigate against exploits, if untrusted data is incorporated into a format string, it can result in an information leak or allow a denial-of-service attack. Consequently, unsanitized input from an untrusted source must never be incorporated into format strings.
...
This noncompliant code example leaks information about a users user's credit card. It incorporates untrusted data in a format string.
...
Related Guidelines
| CERT Perl Secure Coding Standard | IDS30-PL. Exclude user input from format strings |
Injection [RST] | |
CWE-134, Uncontrolled format string |
...