Found dynamic content inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
Detected subprocess function ‘$FUNC’ with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using ‘shlex.escape()’.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Annotations passed to typing.get_type_hints are evaluated in globals and locals namespaces. Make sure that no arbitrary value can be written as the annotation and passed to typing.get_type_hints function.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
Untrusted user input in importlib.import_module() function allows an attacker to load arbitrary code. Avoid dynamic values in importlib.import_module() or use a whitelist to prevent running untrusted code.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-706: Use of Incorrectly-Resolved Name or Reference
OWASP:
- A01:2021 - Broken Access Control
Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Detected subprocess function ‘$LOOP.subprocess_exec’ without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Found user controlled content in run_string. This is dangerous because it allows a malicious actor to run arbitrary Python code.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use hashlib.scrypt.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
Detected a dynamic value being used with urllib. urllib supports ‘file://’ schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the ‘requests’ library instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-939: Improper Authorization in Handler for Custom URL Scheme
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-

- -
-

- I
- n
- j
- e
- c
- t
- i
- o
- n
Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using ’| u’ for URL escaping or ’| h’ for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
Detected possible formatted SQL query. Use parameterized queries instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Detected ‘create_subprocess_exec’ function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Detected subprocess function ‘$LOOP.subprocess_exec’ with user controlled data. You may consider using ‘shlex.escape()’.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Detected a paramiko host key policy that implicitly trusts a server’s host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-322: Key Exchange without Entity Authentication
OWASP:
- A02:2021 - Cryptographic Failures
Detected asyncio subprocess function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
‘ssl.wrap_socket()’ is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using ‘ssl.SSLContext()’ and use that to wrap a socket.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
Found dynamic content in run_in_subinterp. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
Detected subprocess function ‘$FUNC’ without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using ‘shlex.escape()’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
These permissions $BITS are widely permissive and grant access to more people than may be necessary. A good default is 0o644 which gives read and write access to yourself and read access to everyone else.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-276: Incorrect Default Permissions
OWASP:
- A01:2021 - Broken Access Control
Hardcoded password is used as a default argument to ‘$FUNC’. This could be dangerous if a real password is not supplied.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-798: Use of Hard-coded Credentials
OWASP:
- A07:2021 - Identification and Authentication Failures
Found ‘subprocess’ function ‘$FUNC’ with ‘shell=True’. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use ‘shell=False’ instead.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named ‘-e sh script.sh’ — this will execute a script when ‘rsync’ is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-155: Improper Neutralization of Wildcards or Matching Symbols
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-

- -
-

- I
- n
- j
- e
- c
- t
- i
- o
- n
The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-295: Improper Certificate Validation
OWASP:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures
Semgrep found a Python reverse shell using BINPATHtoBINPATH to IP at $PORT
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-553: Command Shell in Externally Accessible Directory
FTP does not encrypt communications by default. This can lead to sensitive data being exposed. Ensure use of FTP here does not expose sensitive data.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use ‘ssl.PROTOCOL_TLSv1_2’ or higher.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
Detected usage of re.compile with an inefficient regular expression. This can lead to regular expression denial of service, which can result in service down time. Instead, check all regexes or use safer alternatives such as pyre2.
Likelihood: LOW
Confidence: LOW
CWE:
- C
- W
- E
- -
- 1
- 3
- 3
- 3
- :
-

- I
- n
- e
- f
- f
- i
- c
- i
- e
- n
- t
-

- R
- e
- g
- u
- l
- a
- r
-

- E
- x
- p
- r
- e
- s
- s
- i
- o
- n
-

- C
- o
- m
- p
- l
- e
- x
- i
- t
- y
OWASP:
- A
- 0
- 6
- :
- 2
- 0
- 1
- 7
-

- -
-

- S
- e
- c
- u
- r
- i
- t
- y
-

- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
Detected ‘create_subprocess_exec’ function with user controlled data. You may consider using ‘shlex.escape()’.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Found dynamic content used in a system call. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the ‘subprocess’ module instead, which is easier to use without accidentally exposing a command injection vulnerability.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the ‘subprocess’ module instead, which is easier to use without accidentally exposing a command injection vulnerability.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Found dynamic content in run_string. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
Found user controlled content in run_in_subinterp. This is dangerous because it allows a malicious actor to run arbitrary Python code.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
Detected asyncio subprocess function with user controlled data. You may consider using ‘shlex.escape()’.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Telnet does not encrypt communications. Use SSH instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures