SYM_SH_0002 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language | bash |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Piping data directly from a curl command into bash allows external code from an untrusted server to be executed on your system. This practice is insecure because attackers could modify the server's response to run malicious commands.
Impact
If exploited, an attacker could execute arbitrary commands with the privileges of the user running the script, potentially leading to full system compromise, data theft, or malware installation. This could impact both individual machines and organizational infrastructure.