Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The code runs external system commands using dynamic strings with sys.process (like command.! or command.!!), which can allow untrusted input to control the executed command. This makes the application vulnerable to command injection attacks.

Impact

If exploited, an attacker could execute arbitrary system commands on the server, potentially gaining access to sensitive data, modifying files, or taking control of the system. This may lead to data breaches, service disruption, or a full system compromise.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Building command strings for Runtime.exec or loadLibrary using string concatenation or formatting with user-influenced variables is unsafe. This allows attackers to inject malicious commands if inputs aren’t properly validated or sanitized.

Impact

If exploited, attackers could execute arbitrary system commands on the server, leading to data theft, system compromise, or complete control over the application environment. This can result in data breaches, service disruptions, and significant damage to the organization.

Property
Language	java
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

User-controlled or unsanitized input is being passed to a ProcessBuilder command. This allows attackers to inject and execute arbitrary system commands if they can influence these variables.

Impact

If exploited, an attacker could execute arbitrary commands on the server, potentially gaining unauthorized access, stealing data, or taking control of the system. This can lead to full system compromise and serious breaches of sensitive information.

Property
Language	java
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input taken directly from an HTTP request is being passed to system commands via ProcessBuilder or Runtime.exec without proper validation. This allows attackers to inject malicious commands into the operating system.

Impact

If exploited, an attacker could execute arbitrary system commands on your server, potentially gaining full control, stealing data, or disrupting service. This can lead to data breaches, server compromise, and serious security incidents.

Property
Language	java
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code establishes a network socket and connects it to a system process, effectively allowing remote users to send commands to the server for execution. This creates a reverse shell, which can let attackers remotely control the host machine.

Property
Language	java
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

User-controlled input is being directly used in Runtime.exec() or Runtime.loadLibrary() calls after string concatenation or formatting. This allows an attacker to inject malicious commands into the system shell if the input is not properly sanitized.

Property
Language	java
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	High
Impact Level	High
Likelihood Level	High

Description

User input is being directly included in system command execution (like Runtime.exec or ProcessBuilder) without proper validation or separation. This allows attackers to inject malicious commands that the server will run.

Impact

If exploited, attackers could execute arbitrary commands on your server, leading to data theft, system compromise, malware installation, or complete loss of control over the application and underlying infrastructure.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Using user-controlled input as a command in child_process functions (like exec or spawn) can allow attackers to inject malicious commands. This happens when input isn’t properly validated or sanitized before being passed to the system shell.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Cloning a Git repository using a URL that comes from untrusted input can allow attackers to inject and execute arbitrary shell commands on your system. This happens because Git supports special URL formats that can trigger shell execution.

Property
Language
Severity
CWE	CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	Medium
Likelihood Level	High

Description

The code is running shell commands using variables or non-literal input when calling functions like spawn() or spawnSync() from the child_process module. This allows potentially untrusted data to control what commands are executed in the shell, making the code vulnerable to command injection.