Bash Command Injection

OWASP 2013-A1 OWASP 2017-A1 OWASP PC-C3 PCI v3.2- CAPEC-88 CWE-78 HIPAA-78 ISO27001-A.14.2.5 WSTG-INPV-12 WASC-31

Command injection is an injection technique by which a set of arbitrary commands on the host operating system through a vulnerable application to attack the system. This type of attack is possible when a web application passes unsafe user-supplied data to a system shell. This includes forms, cookies, HTTP headers etc. In this attack, the operating system commands sent by the attacker is executed with the execution privileges of the vulnerable application. This type of attacks is largely due to insufficient input validation.

There are servers having a vulnerability that can cause Bash code injection vulnerability. This vulnerability can allow an attacker to execute malicious code using a custom environment. The Server side scripts allow bash to run in the background. This allows the vulnerability to be exploited remotely over the network. This may lead to severe damage to the server.


The impact include:-

  • Executing commands on the underlying operating system.
  • injection attack
  • Data loss

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Upgrade Bash to the latest version.

Latest Articles