Property
Language	java
Severity
CWE	CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

User-controlled or variable data is being directly inserted into LDAP queries without proper validation or sanitization. This allows attackers to manipulate LDAP statements by injecting malicious input.

Impact

If exploited, attackers could bypass authentication, access unauthorized data, or modify directory information. This can lead to data breaches, privilege escalation, or compromise of sensitive application resources.

Property
Language	java
Severity
CWE	CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

When LDAP searches are configured to return serialized Java objects from untrusted or unsanitized input, attackers can manipulate the LDAP response to inject malicious objects. This exposes the application to dangerous deserialization or remote code execution risks.

Property
Language	clojure
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Medium

Description

The code executes shell commands using clojure.java.shell/sh with arguments that may include user input. If these inputs aren’t properly validated or sanitized, attackers could inject malicious commands.

Impact

If exploited, an attacker could run arbitrary system commands on the server, leading to data theft, system compromise, or full remote code execution. This could result in loss of sensitive data, service disruption, or a complete takeover of the application environment.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	High
Impact Level	High
Likelihood Level	High

Description

Using GitHub context variables (like issue titles or pull request bodies) directly in run: steps allows untrusted user input to be executed as shell commands. This makes it possible for attackers to inject and run malicious code in your CI workflow.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code downloads data using curl and then executes it with eval. If the remote server is compromised or malicious, it can send back code that will be executed on your system, leading to severe security risks.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A03:2021 – Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

Using Argo workflow or input parameters directly inside shell or Python scripts (such as here-scripts) can allow untrusted input to be executed as commands or code. This makes your workflow vulnerable to command or code injection attacks.

Property
Language	csharp
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code builds and runs operating system commands using input that comes from external sources, without properly checking or sanitizing that input. This allows attackers to inject malicious commands that the system will execute.

Impact

If exploited, an attacker could execute arbitrary commands on the server, potentially gaining full control over the system, accessing sensitive data, modifying files, or disrupting application functionality. This can lead to severe breaches, data loss, or complete system compromise.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code writes dynamic, potentially untrusted data to the input of an OS command using StdinPipe without proper validation. This allows user-controlled input to influence command execution, making the code vulnerable to command injection.

Impact

If exploited, an attacker could inject commands or scripts that are executed by the server, leading to unauthorized actions such as data theft, system compromise, or complete takeover of the application environment. This poses a critical risk to application integrity and data security.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code runs external system commands using dynamic or user-influenced input with Scala’s Seq and sys.process. This allows attackers to inject malicious commands if input is not properly sanitized or controlled.

Impact

If exploited, an attacker could execute arbitrary system commands on the server, potentially leading to data theft, data loss, unauthorized access, or full system compromise. This can result in severe breaches of confidentiality and integrity for your application and infrastructure.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

This code runs shell commands by passing dynamic or user-controlled data directly to the shell (e.g., ‘sh’, ‘bash’) using Scala’s sys.process API. If this input isn’t properly sanitized, attackers can inject arbitrary commands.

Impact

An attacker could execute unauthorized system commands on your server, potentially stealing data, altering files, or taking control of the system. This could lead to data breaches, service outages, or full system compromise.