Skip to main content
Don’t call system. It’s a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling execve from the exec family.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
I