SYM_PY_0046 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User input from environment variables or command-line arguments is being passed directly to asyncio subprocess shell functions without proper sanitization. This allows attackers to inject arbitrary shell commands into your application's subprocess calls.
Impact
If exploited, an attacker could execute unauthorized system commands with the privileges of your application, potentially leading to data theft, data loss, system compromise, or further attacks on internal or external systems.