SYM_PY_0066 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Using logging.config.listen() in Python can be risky because it evaluates incoming configuration data with eval(), which may execute arbitrary code if the input isn't properly verified. This can inadvertently allow unsafe code to run within your application.
Impact
If exploited, an attacker with access to the local machine could send malicious configuration data that gets executed, potentially compromising the application's process. This could lead to unauthorized actions such as data theft, system manipulation, or further escalation of privileges on the host.