Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Property
Languagepython
Severityhigh
CWECWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASPA01:2017 - Injection
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelHigh

Description

User-controlled input from an event object is being passed directly to an asyncio subprocess shell function. This allows untrusted data to be executed as part of a system command, creating a command injection risk.

Impact

If exploited, an attacker could run arbitrary system commands on the server, potentially accessing sensitive data, modifying files, or taking control of the application environment. This can lead to data breaches, service disruption, or full system compromise.

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Property
Languagepython
Severityhigh
CWECWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASPA01:2017 - Injection
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelHigh

Description

User-provided data from the ’event’ object is passed directly to ‘asyncio.loop.subprocess_exec’, which can allow untrusted input to be executed as part of a system command. This creates a risk of command injection if the input is not properly sanitized.

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Property
Languagepython
Severityhigh
CWECWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASPA01:2017 - Injection
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelHigh

Description

User-controlled input from the ’event’ object is being passed directly to ‘asyncio.create_subprocess_exec’, which can allow attackers to execute arbitrary system commands. This is a command injection risk because untrusted data is used in process creation without proper sanitization.

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Property
Languagepython
Severityhigh
CWECWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASPA01:2017 - Injection
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelHigh

Description

User-controlled data from the ’event’ object is being passed directly to OS process-spawning functions (like os.spawn* or os.startfile). This allows untrusted input to dictate system commands, creating a serious security risk.

Impact

If exploited, an attacker could execute arbitrary commands on the server, potentially leading to data theft, service disruption, or full system compromise. This can result in loss of sensitive information, unauthorized access, and severe reputational and operational damage.

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Property
Languagepython
Severityhigh
CWECWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASPA01:2017 - Injection
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelMedium

Description

The code passes user-supplied input directly to os.system(), allowing attackers to inject and execute arbitrary system commands. This is insecure because it lets users control what commands are run on the server.

Impact

If exploited, attackers can execute any command with the application’s privileges—potentially reading or modifying sensitive data, taking control of the server, or disrupting service. This can lead to data breaches, server compromise, and significant damage to the organization’s systems and reputation.

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Property
Languagepython
Severityhigh
CWECWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASPA01:2017 - Injection
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelHigh

Description

User-supplied data from Flask requests is being passed directly into subprocess calls without proper validation or sanitization. This allows attackers to control command arguments, leading to unsafe command execution.

Impact

If exploited, an attacker could execute arbitrary system commands on the server, potentially stealing data, installing malware, or taking full control of the host. This can result in data breaches, service outages, or further compromise of your infrastructure.

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Property
Languagepython
Severitylow
CWECWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASPA01:2017 - Injection
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Building shell commands by concatenating or formatting strings, especially with user input, can allow attackers to inject malicious commands. Instead, pass command arguments as a list to avoid unintended code execution.

Impact

If exploited, an attacker could execute arbitrary system commands with the privileges of your application, potentially leading to data theft, corruption, or complete system compromise. This can expose sensitive information or allow attackers to take control of your server.

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Property
Languagepython
Severityhigh
CWECWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASPA01:2017 - Injection
Confidence LevelHigh
Impact LevelHigh
Likelihood LevelMedium

Description

Detected user input entering a subprocess call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Property
Languagepython
Severityhigh
CWECWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASPA01:2017 - Injection
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelMedium

Description

User input from web requests is being passed directly into os.system() commands. This allows attackers to inject and execute arbitrary system commands on the server, making the code highly insecure.

Impact

If exploited, an attacker could execute malicious commands on the server with the application’s privileges, leading to data theft, server compromise, service disruption, or a complete system takeover. This puts sensitive data and the integrity of the entire application at risk.

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Property
Languageruby
Severityhigh
CWECWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASPA01:2017 - Injection
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelHigh

Description

This vulnerability occurs when user input from sources like params, cookies, or request environment is passed directly to file or shell commands. Without proper validation or sanitization, attackers can manipulate these inputs to execute unintended commands or access files they shouldn’t.