CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Description
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-15 · CAPEC-43 · CAPEC-6 · CAPEC-88
CVEs mapped to this weakness (2,292)
page 104 of 115| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-28440 | 0.00 | — | 0.02 | Dec 11, 2020 | All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function. | |||
| CVE-2020-7789 | — | 0.00 | — | 0.02 | Dec 11, 2020 | This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array. | ||
| CVE-2020-26245 | 0.00 | — | 0.02 | Nov 27, 2020 | npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be… | |||
| CVE-2020-7778 | — | 0.00 | — | 0.02 | Nov 26, 2020 | This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands. | ||
| CVE-2020-26217 | 0.00 | — | 0.85 | Nov 16, 2020 | XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security… | |||
| CVE-2020-15271 | 0.00 | — | 0.02 | Oct 26, 2020 | In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is… | |||
| CVE-2020-7752 | — | 0.00 | — | 0.06 | Oct 26, 2020 | This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands. | ||
| CVE-2020-7735 | 0.00 | — | 0.02 | Sep 25, 2020 | The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option. | |||
| CVE-2020-13948 | — | 0.00 | — | 0.03 | Sep 17, 2020 | While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions <… | ||
| CVE-2020-2276 | 0.00 | — | 0.02 | Sep 16, 2020 | Jenkins Selection tasks Plugin 1.0 and earlier executes a user-specified program on the Jenkins controller, allowing attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as. | |||
| CVE-2020-2261 | 0.00 | — | 0.01 | Sep 16, 2020 | Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller | |||
| CVE-2020-11977 | — | 0.00 | — | 0.03 | Sep 15, 2020 | In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution. | ||
| CVE-2020-7730 | — | 0.00 | — | 0.03 | Sep 4, 2020 | The package bestzip before 2.1.7 are vulnerable to Command Injection via the options param. | ||
| CVE-2020-7712 | — | 0.00 | — | 0.04 | Aug 30, 2020 | This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function. | ||
| CVE-2019-14904 | — | 0.00 | — | 0.00 | Aug 25, 2020 | A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw… | ||
| CVE-2020-15123 | 0.00 | — | 0.04 | Jul 20, 2020 | In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for… | |||
| CVE-2020-11981 | 0.00 | — | 0.34 | Jul 16, 2020 | An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands. | |||
| CVE-2020-8178 | — | 0.00 | — | 0.04 | Jul 15, 2020 | Insufficient input validation in npm package `jison` <= 0.4.18 may lead to OS command injection attacks. | ||
| CVE-2020-8186 | — | 0.00 | — | 0.03 | Jul 10, 2020 | A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function. | ||
| CVE-2020-13619 | — | 0.00 | — | 0.03 | Jul 1, 2020 | php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution. |
- CVE-2020-28440Dec 11, 2020risk 0.00cvss —epss 0.02
All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function.
- CVE-2020-7789Dec 11, 2020risk 0.00cvss —epss 0.02
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
- CVE-2020-26245Nov 27, 2020risk 0.00cvss —epss 0.02
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be…
- CVE-2020-7778Nov 26, 2020risk 0.00cvss —epss 0.02
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
- CVE-2020-26217Nov 16, 2020risk 0.00cvss —epss 0.85
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security…
- CVE-2020-15271Oct 26, 2020risk 0.00cvss —epss 0.02
In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is…
- CVE-2020-7752Oct 26, 2020risk 0.00cvss —epss 0.06
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
- CVE-2020-7735Sep 25, 2020risk 0.00cvss —epss 0.02
The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option.
- CVE-2020-13948Sep 17, 2020risk 0.00cvss —epss 0.03
While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions <…
- CVE-2020-2276Sep 16, 2020risk 0.00cvss —epss 0.02
Jenkins Selection tasks Plugin 1.0 and earlier executes a user-specified program on the Jenkins controller, allowing attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as.
- CVE-2020-2261Sep 16, 2020risk 0.00cvss —epss 0.01
Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller
- CVE-2020-11977Sep 15, 2020risk 0.00cvss —epss 0.03
In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.
- CVE-2020-7730Sep 4, 2020risk 0.00cvss —epss 0.03
The package bestzip before 2.1.7 are vulnerable to Command Injection via the options param.
- CVE-2020-7712Aug 30, 2020risk 0.00cvss —epss 0.04
This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.
- CVE-2019-14904Aug 25, 2020risk 0.00cvss —epss 0.00
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw…
- CVE-2020-15123Jul 20, 2020risk 0.00cvss —epss 0.04
In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for…
- CVE-2020-11981Jul 16, 2020risk 0.00cvss —epss 0.34
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
- CVE-2020-8178Jul 15, 2020risk 0.00cvss —epss 0.04
Insufficient input validation in npm package `jison` <= 0.4.18 may lead to OS command injection attacks.
- CVE-2020-8186Jul 10, 2020risk 0.00cvss —epss 0.03
A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function.
- CVE-2020-13619Jul 1, 2020risk 0.00cvss —epss 0.03
php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution.