SYM_PY_0039 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using 'asyncio.create_subprocess_exec' with arguments that are not static strings or trusted inputs can allow attackers to inject malicious commands if user-controlled data is used. This creates a risk of command injection vulnerabilities in your code.
Impact
If exploited, an attacker could execute arbitrary system commands with the same privileges as your application, leading to data theft, server compromise, or complete system takeover. This can result in loss of sensitive data, service outages, or further attacks within your infrastructure.