SYM_PY_0057 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Wildcards or Matching Symbols
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-155: Improper Neutralization of Wildcards or Matching Symbols |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Using shell commands like tar, chmod, chown, or rsync with wildcard characters (e.g., '*') inside Python's os.system or subprocess calls can unintentionally allow shell expansion on unexpected files. This may cause commands to act on files with malicious names or trigger unexpected behaviors.
Impact
An attacker could create files with specially crafted names that, when matched by a wildcard, execute unintended commands or manipulate system files. This can lead to privilege escalation, unauthorized code execution, or compromise of the application's integrity and security.