The java.io package includes a PrintStream class that has two equivalent formatting methods: format() and printf(). System.out and System.err are PrintStream objects, allowing PrintStream methods to be invoked on the standard output and error streams. The risks from using these methods are not as high as from using similar functions in C or C++ [Seacord 2013]. The standard library implementations throw an exception when any conversion argument fails to match the corresponding format specifier. Although this helps mitigate against exploits, if untrusted data is incorporated into a format string, it can result in an information leak or allow a denial-of-service attack. Consequently, unsanitized input from an untrusted source must never be incorporated into format strings.
...
| CERT Perl Secure Coding Standard | IDS30-PL. Exclude user input from format strings |
Injection [RST] | |
CWE-134, Uncontrolled format string |
Bibliography
[API 2006] | |
Chapter 6, "Formatted Output" |
...