SYM_CONF_0029 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A03:2021 – Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
Using Argo workflow or input parameters directly inside shell or Python scripts (such as here-scripts) can allow untrusted input to be executed as commands or code. This makes your workflow vulnerable to command or code injection attacks.
Impact
If exploited, an attacker could inject malicious commands or code through workflow parameters, potentially gaining unauthorized access, exfiltrating data, or compromising the entire CI/CD pipeline. This could lead to data loss, service disruption, or system takeover.