Formatting in Java is stricter as compared to than traditional languages such as C. Exceptions are thrown if If any conversion argument mismatches with the corresponding flag, appropriate exceptions are thrown. Although not easily exploitable, it is possible for user input to taint the format string and cause information leaks or denial of service in some cases.
Noncompliant Code Example
This noncompliant code example demonstrates an information leak issue. The code accepts the credit card expiration date as an input argument and uses it within the format string. In the absence of proper input validation, an artful attacker can observe glean the date against which the input is verified. Any of the arguments %1$tm, %1$te or %1$tY can aid such an attempt.
...