Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code uses subprocess functions to run system commands without safely handling user input or ensuring commands are static. This can allow untrusted data to control what commands are executed, leading to command injection vulnerabilities.
Impact#
If exploited, an attacker could execute arbitrary system commands on the server, potentially leading to data theft, system compromise, or full control of the host. This puts sensitive information, system integrity, and overall application security at serious risk.