Findings
High
Finding 22644: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 23, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 22645: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 23, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 22646: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 23, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 22647: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 23, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 22648: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 23, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 22649: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 23, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system