| Property | |
|---|---|
| Language | bash |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
This code contains hidden Unicode bidirectional (bidi) characters, which can make code appear differently to reviewers than how it actually executes. Attackers can use these characters to disguise malicious code or change logic flow in a way that’s hard to detect.
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Medium |
The code includes a Bash reverse shell command, which allows remote attackers to open a shell on the server and execute arbitrary commands. This exposes the system to unauthorized remote control.
If exploited, an attacker could gain full remote access to the server, execute malicious commands, steal sensitive data, or compromise other systems in the network. This can lead to complete system takeover, data breaches, and significant operational disruption.
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
The code calls syscall.Exec or syscall.ForkExec with commands or arguments that are not fixed values, potentially using user input. This allows untrusted data to determine what gets executed by the system shell, risking code injection.
If exploited, an attacker could execute arbitrary system commands with the application’s privileges, leading to data theft, server compromise, or further attacks on internal systems. This could result in complete loss of control over the affected server or application.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
The code runs system commands using dynamic or user-controlled input with exec.Command or exec.CommandContext, instead of hardcoded commands. This exposes the application to code injection risks if untrusted data can reach these calls.
If exploited, an attacker could execute arbitrary system commands on your server, leading to data theft, system compromise, or full remote control of the application environment. This can result in data loss, service disruption, and severe security breaches.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
The code constructs commands for exec.Cmd using variables or user-controlled input, rather than fixed, hard-coded strings. This allows potentially untrusted data to influence which commands are executed, making the code vulnerable to command injection.
If an attacker can control or influence the input used in exec.Cmd, they could execute arbitrary system commands with the application’s privileges. This can lead to data theft, system compromise, or unauthorized access to sensitive resources, severely impacting the application’s security and integrity.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
User-controlled or dynamic input is being passed directly to the otto VM’s Run function, allowing untrusted scripts to be executed. This exposes your code to code injection risks if input isn’t properly validated or sanitized.
If exploited, an attacker could run arbitrary JavaScript code within your application’s context, potentially leading to data theft, service disruption, or full system compromise. This could allow them to bypass security controls, access sensitive data, or execute further attacks.
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Using JavaScript’s eval() function in Scala.js with input that can come from users or external sources allows attackers to inject and execute arbitrary code. This makes your application vulnerable to code injection attacks.
If exploited, an attacker could run malicious JavaScript in your application’s context—potentially stealing sensitive data, manipulating the app’s behavior, or compromising user accounts. This can lead to data breaches, unauthorized actions, or a complete takeover of affected systems.
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
The code uses GroovyShell or GroovyClassLoader to execute dynamically built expressions, which may include untrusted or unsanitized input. This allows attackers to inject and run arbitrary Groovy code if the input is not properly validated.
If exploited, an attacker could execute malicious code on the server, leading to data theft, data loss, server compromise, or full control of the application environment. This can result in severe breaches, including unauthorized system access and data exposure.
| Property | |
|---|---|
| Language | java |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
The code dynamically evaluates OGNL expressions using input that may come from untrusted sources. If these values are not properly validated or sanitized, attackers could inject malicious code into the expression and execute arbitrary commands.
Exploiting this vulnerability could allow an attacker to execute arbitrary Java code on the server, access sensitive data, modify application behavior, or take full control of the application. This can lead to data breaches, system compromise, and significant harm to both users and the organization.
| Property | |
|---|---|
| Language | java |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
User-controlled data is being passed directly to a ScriptEngine’s eval() method, which allows dynamic code execution. This means attackers could inject and run arbitrary code if they control the input.
If exploited, an attacker could execute malicious code within your application’s environment, potentially gaining unauthorized access, stealing data, or taking control of the server. This can lead to full system compromise and significant data breaches.