SYM_JAVA_0067 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Property Value
Language java
Severity medium
CWE CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OWASP A01:2017 - Injection
Confidence Level Medium
Impact Level Medium
Likelihood Level Medium

Description

User input taken directly from an HTTP request is being passed to system commands via ProcessBuilder or Runtime.exec without proper validation. This allows attackers to inject malicious commands into the operating system.

Impact

If exploited, an attacker could execute arbitrary system commands on your server, potentially gaining full control, stealing data, or disrupting service. This can lead to data breaches, server compromise, and serious security incidents.