SYM_PY_0028 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
The code passes user-controlled input from environment variables or command-line arguments directly into OS command execution functions like os.exec*. This allows attackers to inject and run arbitrary system commands.
Impact
If exploited, an attacker could execute malicious commands on the server with the application's privileges, potentially leading to data theft, system compromise, or a complete takeover of the host machine. This can seriously jeopardize the security and integrity of the application and its underlying infrastructure.