Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input from HTTP requests is being passed directly to Python’s os.exec* functions to spawn system processes. This allows attackers to control system commands executed by the application, making it highly insecure.
Impact#
An attacker could execute arbitrary system commands on the server, leading to data theft, server compromise, or complete system takeover. This can result in loss of sensitive data, service disruption, and significant reputational or financial damage.