Security
dangerous-spawn-process
dangerous-spawn-process
Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
insecure-hash-algorithm-sha1
insecure-hash-algorithm-sha1
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
insecure-hash-algorithm-md5
insecure-hash-algorithm-md5
Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
dangerous-subinterpreters-run-string
dangerous-subinterpreters-run-string
Found user controlled content in run_string
. This is dangerous because it allows a malicious actor to run arbitrary Python code.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
use-defused-xmlrpc
use-defused-xmlrpc
Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-776: Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’)
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
dangerous-interactive-code-run
dangerous-interactive-code-run
Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
dangerous-globals-use
dangerous-globals-use
Found non static data as an index to ‘globals()’. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use ‘globals()’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
OWASP:
- A03:2021 - Injection
dangerous-os-exec
dangerous-os-exec
Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
use-defused-xml-parse
use-defused-xml-parse
The native Python xml
library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and “XML bombs” can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using defusedxml
.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
use-defused-xml
use-defused-xml
The Python documentation recommends using defusedxml
instead of xml
because the native Python xml
library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and “XML bombs” can cause denial of service.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
dangerous-subprocess-use
dangerous-subprocess-use
Detected subprocess function ‘$FUNC’ with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using ‘shlex.escape()’.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
unverified-ssl-context
unverified-ssl-context
Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use ‘ssl.create_default_context’ instead.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-295: Improper Certificate Validation
OWASP:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures
use-defusedcsv
use-defusedcsv
Detected the generation of a CSV file using the built-in csv
module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user’s computer. defusedcsv
is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use defusedcsv
instead of csv
to safely generate CSVs.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1236: Improper Neutralization of Formula Elements in a CSV File
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-system-call
dangerous-system-call
Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the ‘subprocess’ module instead, which is easier to use without accidentally exposing a command injection vulnerability.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-testcapi-run-in-subinterp
dangerous-testcapi-run-in-subinterp
Found user controlled content in run_in_subinterp
. This is dangerous because it allows a malicious actor to run arbitrary Python code.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
insecure-hash-function
insecure-hash-function
Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using ‘SHA256’ or a similar function instead.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures