SYM_PY_0042 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | High |
Description
Using subprocess functions with shell=True runs commands through the system shell, which can make your code vulnerable to command injection if user input is involved. This means attackers could execute arbitrary system commands by manipulating inputs.
Impact
If an attacker is able to supply input to these subprocess calls, they could run unauthorized commands on your server, potentially leading to data theft, server compromise, or service disruption. This can result in loss of sensitive information and control over your application environment.