SYM_PY_0107 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User input from the 'event' object is being passed directly to a subprocess call with shell=True, which allows the input to be interpreted as a shell command. This makes the code vulnerable to command injection if an attacker can control the event data.
Impact
If exploited, an attacker could execute arbitrary system commands with the permissions of the running process, potentially leading to data theft, system compromise, or disruption of service. This can result in significant security breaches, especially in environments handling sensitive data or critical operations.