SYM_PY_0027 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User input from environment variables or command-line arguments is being passed directly to system calls like os.system() or os.popen(), making the application vulnerable to command injection. This lets attackers execute arbitrary system commands if they can control the input.
Impact
If exploited, an attacker could run malicious commands on the server with the same privileges as the application. This could lead to data theft, server compromise, deletion of files, or full system takeover, putting sensitive information and infrastructure at serious risk.