Findings
High
Finding 23598: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Sept. 5, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 23599: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Sept. 5, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 23600: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Sept. 5, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system