SYM_PY_0032 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User-controlled input from environment variables or command-line arguments is being passed directly to run_in_subinterp, allowing untrusted code to be executed. This makes it possible for attackers to inject and run arbitrary Python code within a subprocess.
Impact
If exploited, an attacker could execute malicious Python code on the server, potentially leading to data theft, system compromise, or a complete takeover of the application. This could result in loss of sensitive data, disruption of services, and significant security breaches.