SYM_PY_0115 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User-controlled input from the 'event' object is being passed directly to 'asyncio.create_subprocess_exec', which can allow attackers to execute arbitrary system commands. This is a command injection risk because untrusted data is used in process creation without proper sanitization.
Impact
If exploited, an attacker could run malicious commands on the server with the application's privileges, potentially leading to data theft, service disruption, or complete system compromise. This can result in data breaches, unauthorized access, or loss of control over the affected environment.