SYM_PY_0058 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
This code passes data from environment variables or command-line arguments directly into Python's InteractiveConsole or InteractiveInterpreter. If user-controlled input reaches these functions, attackers could execute arbitrary Python code within your application.
Impact
Exploiting this vulnerability allows attackers to run any Python code on your server, potentially leading to data theft, system compromise, or a complete takeover of your application environment. This can result in loss of sensitive information, service disruption, or further attacks against your infrastructure.