SYM_PY_0002 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using string formatting or concatenation to build Bash commands in Airflow's BashOperator can let user-controlled input end up in shell commands. This exposes your code to command injection if any variable used is not fully trusted.
Impact
If exploited, an attacker could execute arbitrary commands on the server running Airflow, potentially leading to data theft, system compromise, or further attacks within your infrastructure. This can result in loss of sensitive information and disruption of services.