SYM_GO_0009 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code calls syscall.Exec or syscall.ForkExec with commands or arguments that are not fixed values, potentially using user input. This allows untrusted data to determine what gets executed by the system shell, risking code injection.
Impact
If exploited, an attacker could execute arbitrary system commands with the application's privileges, leading to data theft, server compromise, or further attacks on internal systems. This could result in complete loss of control over the affected server or application.