SYM_GO_0016 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code constructs commands for exec.Cmd using variables or user-controlled input, rather than fixed, hard-coded strings. This allows potentially untrusted data to influence which commands are executed, making the code vulnerable to command injection.
Impact
If an attacker can control or influence the input used in exec.Cmd, they could execute arbitrary system commands with the application's privileges. This can lead to data theft, system compromise, or unauthorized access to sensitive resources, severely impacting the application's security and integrity.