SYM_PY_0031 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User input from environment variables or command-line arguments is being passed directly to asyncio's subprocess_exec, which can allow attackers to inject malicious commands. Failing to sanitize this input makes the code vulnerable to command injection.
Impact
If exploited, an attacker could execute arbitrary system commands with the application's privileges, potentially leading to data theft, server compromise, or complete control over the system. This can result in severe data breaches, service disruption, and loss of trust.