Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code constructs commands for exec.Cmd using variables or user-controlled input, rather than fixed, hard-coded strings. This allows potentially untrusted data to influence which commands are executed, making the code vulnerable to command injection.
Impact#
If an attacker can control or influence the input used in exec.Cmd, they could execute arbitrary system commands with the application’s privileges. This can lead to data theft, system compromise, or unauthorized access to sensitive resources, severely impacting the application’s security and integrity.