Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
The code passes user-controlled input from environment variables or command-line arguments directly into OS command execution functions like os.exec*. This allows attackers to inject and run arbitrary system commands.
Impact#
If exploited, an attacker could execute malicious commands on the server with the application’s privileges, potentially leading to data theft, system compromise, or a complete takeover of the host machine. This can seriously jeopardize the security and integrity of the application and its underlying infrastructure.