SYM_JAVA_0087 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
User-controlled input is being directly used in Runtime.exec() or Runtime.loadLibrary() calls after string concatenation or formatting. This allows an attacker to inject malicious commands into the system shell if the input is not properly sanitized.
Impact
An attacker could execute arbitrary system commands on the server, potentially leading to data theft, server compromise, data loss, or full control over the affected system. This can result in severe security breaches, including unauthorized access and further attacks on your infrastructure.