SYM_PY_0112 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User-provided data from the 'event' object is passed directly to 'asyncio.loop.subprocess_exec', which can allow untrusted input to be executed as part of a system command. This creates a risk of command injection if the input is not properly sanitized.
Impact
If exploited, an attacker could run arbitrary commands on your server with the application's privileges, potentially leading to data theft, service disruption, or full system compromise. This can severely impact the security and integrity of your application and infrastructure.