SYM_PY_0050 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
The code passes user-controlled input (such as environment variables or command-line arguments) directly to functions that spawn new system processes. This makes it possible for attackers to inject and execute arbitrary commands on the system.
Impact
If exploited, an attacker could run malicious commands with the same privileges as the application, potentially leading to data theft, system compromise, or further attacks on internal resources. This could result in a full takeover of the affected server or environment.