Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User-controlled input (like environment variables or command-line arguments) is being passed directly to subprocess functions without proper sanitization. This allows attackers to inject malicious commands into system calls.
Impact#
If exploited, an attacker could execute arbitrary system commands on the server, potentially gaining unauthorized access, stealing data, or compromising the entire system. This puts sensitive information and core infrastructure at significant risk.