Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Using logging.config.listen() in Python can be risky because it evaluates incoming configuration data with eval(), which may execute arbitrary code if the input isn’t properly verified. This can inadvertently allow unsafe code to run within your application.
Impact#
If exploited, an attacker with access to the local machine could send malicious configuration data that gets executed, potentially compromising the application’s process. This could lead to unauthorized actions such as data theft, system manipulation, or further escalation of privileges on the host.