SYM_JAVA_0034 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Building command strings for Runtime.exec or loadLibrary using string concatenation or formatting with user-influenced variables is unsafe. This allows attackers to inject malicious commands if inputs aren't properly validated or sanitized.
Impact
If exploited, attackers could execute arbitrary system commands on the server, leading to data theft, system compromise, or complete control over the application environment. This can result in data breaches, service disruptions, and significant damage to the organization.