Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code executes commands on a remote server using Paramiko’s exec_command without properly validating or sanitizing the input. This can allow attackers to inject malicious commands if user input is passed directly to exec_command.
Impact#
If exploited, an attacker could execute arbitrary commands on the remote system with the SSH user’s privileges, leading to data theft, system compromise, or disruption of services. This can result in loss of sensitive data, unauthorized access, and potential full system takeover.