Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Property
Languagepython
Severitymedium
CWECWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

The code is passing dynamic or external data to run_in_subinterp, which can lead to execution of arbitrary Python code. This is unsafe if user input or untrusted data is involved.

Impact

If exploited, an attacker could execute malicious Python code on the server, potentially gaining access to sensitive information, modifying data, or taking control of the system. This could lead to data breaches and full compromise of the application or host.

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Property
Languagepython
Severitymedium
CWECWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

Using dynamic or external input as code in _xxsubinterpreters.run_string allows untrusted data to be executed as Python code. This makes it possible for attackers to inject and run arbitrary commands if they can control the input.

Impact

If exploited, an attacker could execute malicious Python code on the server, leading to data theft, system compromise, or full control over the application. This can result in severe breaches such as data loss, unauthorized access, or server takeover.

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Property
Languagepython
Severityhigh
CWECWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASPA03:2021 - Injection
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelMedium

Description

User-controlled input from environment variables or command-line arguments is being passed directly to run_in_subinterp, allowing untrusted code to be executed. This makes it possible for attackers to inject and run arbitrary Python code within a subprocess.

Impact

If exploited, an attacker could execute malicious Python code on the server, potentially leading to data theft, system compromise, or a complete takeover of the application. This could result in loss of sensitive data, disruption of services, and significant security breaches.

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Property
Languagepython
Severitymedium
CWECWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

The code uses the exec() function, which executes Python code from a string. If any part of that string can be influenced by user input or external sources, this allows attackers to run arbitrary code within your application.

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Property
Languagepython
Severitymedium
CWECWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

The code is passing dynamic or external input into Python’s InteractiveConsole or InteractiveInterpreter methods, which can execute arbitrary code. This is risky because it allows untrusted data to control what code gets run.

Impact

If exploited, an attacker could execute malicious Python commands on your system, potentially leading to data theft, system compromise, or complete takeover of the application server. This could expose sensitive information and disrupt operations.

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Property
Languagepython
Severitylow
CWECWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Directly assigning arbitrary values to a class’s annotations attribute can be unsafe, especially if those values are later used with typing.get_type_hints, which evaluates them in the global and local namespaces. This could allow unexpected or malicious code execution if the annotation values are not strictly controlled.

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Property
Languagepython
Severityhigh
CWECWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASPA03:2021 - Injection
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelMedium

Description

The code passes user-controlled input—such as environment variables or command-line arguments—directly into _xxsubinterpreters.run_string(), allowing execution of arbitrary Python code. This means an attacker could inject and run their own code within your application.

Impact

If exploited, an attacker could execute malicious Python commands with the same privileges as your application. This can lead to data theft, unauthorized access, service disruption, or full system compromise, putting sensitive data and systems at significant risk.

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Property
Languagepython
Severityhigh
CWECWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASPA03:2021 - Injection
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelMedium

Description

This code passes data from environment variables or command-line arguments directly into Python’s InteractiveConsole or InteractiveInterpreter. If user-controlled input reaches these functions, attackers could execute arbitrary Python code within your application.

Impact

Exploiting this vulnerability allows attackers to run any Python code on your server, potentially leading to data theft, system compromise, or a complete takeover of your application environment. This can result in loss of sensitive information, service disruption, or further attacks against your infrastructure.

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Property
Languagepython
Severitymedium
CWECWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

The code uses Python’s eval() function, which executes arbitrary code from a string. If any part of the evaluated content can be influenced by user input or external sources, this introduces a major security risk.

Impact

An attacker could inject malicious code through user-controllable input, leading to remote code execution, data theft, or complete compromise of the server. This can result in data loss, unauthorized access, or full system takeover.

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Property
Languagepython
Severitylow
CWECWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Using logging.config.listen() in Python can be risky because it evaluates incoming configuration data with eval(), which may execute arbitrary code if the input isn’t properly verified. This can inadvertently allow unsafe code to run within your application.

Impact

If exploited, an attacker with access to the local machine could send malicious configuration data that gets executed, potentially compromising the application’s process. This could lead to unauthorized actions such as data theft, system manipulation, or further escalation of privileges on the host.