SYM_JAVA_0150 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | High |
Description
User input is being directly included in system command execution (like Runtime.exec or ProcessBuilder) without proper validation or separation. This allows attackers to inject malicious commands that the server will run.
Impact
If exploited, attackers could execute arbitrary commands on your server, leading to data theft, system compromise, malware installation, or complete loss of control over the application and underlying infrastructure.