Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User-provided input is being passed directly to Python’s InteractiveConsole or InteractiveInterpreter methods, which execute code dynamically. This means attackers could supply malicious code that gets executed by your application.
Impact#
If exploited, an attacker could run arbitrary Python commands on your server, potentially gaining full control over the system, accessing sensitive data, altering application behavior, or causing service disruptions.