External Initialization of Trusted Variables or Data Stores
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-454: External Initialization of Trusted Variables or Data Stores |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input from HttpServletRequest is being used directly as environment variables in a Runtime.exec() command. This allows attackers to influence the environment of executed processes, which can lead to unexpected or malicious behavior.
Impact#
An attacker could inject malicious values into environment variables, potentially altering the behavior of executed commands, stealing sensitive data, or escalating privileges. This could compromise application integrity and lead to broader system compromise.