listen-eval
listen-eval
Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
verify() argument to listen() to prevent unrecognized configurations.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP:
- A03:2021 - Injection
python-logger-credential-disclosure
python-logger-credential-disclosure
Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-532: Insertion of Sensitive Information into Log File
OWASP:
- A09:2021 - Security Logging and Monitoring Failures
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-532: Insertion of Sensitive Information into Log File
OWASP:
- A09:2021 - Security Logging and Monitoring Failures