Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | High |
Description#
Using subprocess functions with shell=True runs commands through the system shell, which can make your code vulnerable to command injection if user input is involved. This means attackers could execute arbitrary system commands by manipulating inputs.
Impact#
If an attacker is able to supply input to these subprocess calls, they could run unauthorized commands on your server, potentially leading to data theft, server compromise, or service disruption. This can result in loss of sensitive information and control over your application environment.