Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
The code passes user-controlled input (such as environment variables or command-line arguments) directly to functions that spawn new system processes. This makes it possible for attackers to inject and execute arbitrary commands on the system.
Impact#
If exploited, an attacker could run malicious commands with the same privileges as the application, potentially leading to data theft, system compromise, or further attacks on internal resources. This could result in a full takeover of the affected server or environment.