Operating System Command Injection
critical Web Application Scanning Plugin ID 98123
Language:
Synopsis
Operating System Command InjectionDescription
OS command injection occurs when user supplied input is used to form a command to be executed by the operating system.Scanner was able to inject specific Operating System commands and have the output from that command contained within the server response. This indicates that input is not being sanitized properly.
Solution
It is recommended that untrusted data is never used to form a command to be executed by the OS.To validate data, the application should ensure that the supplied value contains only the characters that are required to perform the required action.
See Also
https://www.owasp.org/index.php/OS_Command_Injection
http://projects.webappsec.org/w/page/13246950/OS%20Commanding
Plugin Details
Severity: Critical
ID: 98123
Type: remote
Family: Code Execution
Published: 3/31/2017
Updated: 5/25/2022
Scan Template: pci, api, scan
Risk Information
VPR
Risk Factor: High
Score: 8.4
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: Tenable
Reference Information
OWASP: 2010-A1, 2013-A1, 2017-A1, 2021-A3
WASC: OS Commanding
OWASP API: 2019-API8
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
CAPEC: 108, 43, 88, 35, 6, 15, 242, 77
PCI-DSS: 3.2-6.5.1
OWASP ASVS: 4.0.2-5.2.5, 4.0.2-5.3.8
DISA STIG: APSC-DV-002510
NIST: sp800_53-SI-10