dangerous-interactive-code-run-audit
dangerous-interactive-code-run-audit
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
dangerous-subprocess-use-tainted-env-args
dangerous-subprocess-use-tainted-env-args
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-spawn-process-audit
dangerous-spawn-process-audit
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-annotations-usage
dangerous-annotations-usage
typing.get_type_hints
are evaluated in globals
and locals
namespaces. Make sure that no arbitrary value can be written as the annotation and passed to typing.get_type_hints
function.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
non-literal-import
non-literal-import
importlib.import_module()
function allows an attacker to load arbitrary code. Avoid dynamic values in importlib.import_module()
or use a whitelist to prevent running untrusted code.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-706: Use of Incorrectly-Resolved Name or Reference
OWASP:
- A01:2021 - Broken Access Control
exec-detected
exec-detected
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
dangerous-os-exec-audit
dangerous-os-exec-audit
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-asyncio-exec-audit
dangerous-asyncio-exec-audit
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-subinterpreters-run-string-tainted-env-args
dangerous-subinterpreters-run-string-tainted-env-args
run_string
. This is dangerous because it allows a malicious actor to run arbitrary Python code.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
dangerous-spawn-process-tainted-env-args
dangerous-spawn-process-tainted-env-args
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
md5-used-as-password
md5-used-as-password
hashlib.scrypt
.Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
dynamic-urllib-use-detected
dynamic-urllib-use-detected
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-939: Improper Authorization in Handler for Custom URL Scheme
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-
- -
-
- I
- n
- j
- e
- c
- t
- i
- o
- n
mako-templates-detected
mako-templates-detected
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
formatted-sql-query
formatted-sql-query
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
multiprocessing-recv
multiprocessing-recv
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
dangerous-os-exec-tainted-env-args
dangerous-os-exec-tainted-env-args
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-asyncio-create-exec-audit
dangerous-asyncio-create-exec-audit
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-asyncio-exec-tainted-env-args
dangerous-asyncio-exec-tainted-env-args
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
paramiko-implicit-trust-host-key
paramiko-implicit-trust-host-key
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-322: Key Exchange without Entity Authentication
OWASP:
- A02:2021 - Cryptographic Failures
dangerous-asyncio-shell-audit
dangerous-asyncio-shell-audit
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
ssl-wrap-socket-is-deprecated
ssl-wrap-socket-is-deprecated
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
dangerous-testcapi-run-in-subinterp-audit
dangerous-testcapi-run-in-subinterp-audit
run_in_subinterp
. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
dangerous-subprocess-use-audit
dangerous-subprocess-use-audit
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
eval-detected
eval-detected
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
insecure-file-permissions
insecure-file-permissions
$BITS
are widely permissive and grant access to more people than may be necessary. A good default is 0o644
which gives read and write access to yourself and read access to everyone else.Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-276: Incorrect Default Permissions
OWASP:
- A01:2021 - Broken Access Control
hardcoded-password-default-argument
hardcoded-password-default-argument
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-798: Use of Hard-coded Credentials
OWASP:
- A07:2021 - Identification and Authentication Failures
subprocess-shell-true
subprocess-shell-true
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-interactive-code-run-tainted-env-args
dangerous-interactive-code-run-tainted-env-args
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
system-wildcard-detected
system-wildcard-detected
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-155: Improper Neutralization of Wildcards or Matching Symbols
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-
- -
-
- I
- n
- j
- e
- c
- t
- i
- o
- n
httpsconnection-detected
httpsconnection-detected
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-295: Improper Certificate Validation
OWASP:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures
python-reverse-shell
python-reverse-shell
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-553: Command Shell in Externally Accessible Directory
ftplib
ftplib
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
weak-ssl-version
weak-ssl-version
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
regex_dos
regex_dos
Likelihood: LOW
Confidence: LOW
CWE:
- C
- W
- E
- -
- 1
- 3
- 3
- 3
- :
-
- I
- n
- e
- f
- f
- i
- c
- i
- e
- n
- t
-
- R
- e
- g
- u
- l
- a
- r
-
- E
- x
- p
- r
- e
- s
- s
- i
- o
- n
-
- C
- o
- m
- p
- l
- e
- x
- i
- t
- y
OWASP:
- A
- 0
- 6
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- c
- u
- r
- i
- t
- y
-
- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
dangerous-asyncio-create-exec-tainted-env-args
dangerous-asyncio-create-exec-tainted-env-args
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-system-call-audit
dangerous-system-call-audit
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-system-call-tainted-env-args
dangerous-system-call-tainted-env-args
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
dangerous-subinterpreters-run-string-audit
dangerous-subinterpreters-run-string-audit
run_string
. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
dangerous-testcapi-run-in-subinterp-tainted-env-args
dangerous-testcapi-run-in-subinterp-tainted-env-args
run_in_subinterp
. This is dangerous because it allows a malicious actor to run arbitrary Python code.Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
marshal-usage
marshal-usage
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
dangerous-asyncio-shell-tainted-env-args
dangerous-asyncio-shell-tainted-env-args
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
telnetlib
telnetlib
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures