| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Building SQL queries by directly concatenating or formatting user input into the query string makes your code vulnerable to SQL injection. This practice allows attackers to inject malicious SQL code if inputs are not properly sanitized.
| Property | |
|---|---|
| Language | java |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Building JDO SQL queries by concatenating or formatting strings with untrusted input can allow attackers to inject malicious SQL code. This happens when user-controlled data is directly included in query statements without proper sanitization or use of prepared statements.
| Property | |
|---|---|
| Language | java |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Building SQL queries by concatenating strings or using formatted strings with user input can allow malicious data to alter the intended SQL command. This practice makes your code vulnerable to SQL injection attacks.
An attacker could manipulate the SQL query to access, modify, or delete database data, bypass authentication, or execute unauthorized operations. This can lead to data breaches, loss of sensitive information, and compromise of the entire application.
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
User input from HTTP requests is being used directly to build SQL queries without proper sanitization. This allows attackers to inject malicious SQL code, leading to SQL injection vulnerabilities.
If exploited, an attacker could read, modify, or delete data in your database, bypass authentication, or execute administrative operations. This can result in data breaches, loss of data integrity, and severe compromise of your application’s security.
| Property | |
|---|---|
| Language | java |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
This code builds SQL queries by directly adding user input (a String) to the query string before passing it to the database. This practice makes the application vulnerable to SQL injection attacks because untrusted input is not safely handled.
| Property | |
|---|---|
| Language | java |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
User-controlled data from AWS Lambda event objects is being included directly in SQL statements without proper sanitization or parameterization. This allows attackers to inject malicious SQL code by manipulating input values.
If exploited, an attacker could manipulate the database by executing unauthorized queries, such as reading, modifying, or deleting data. This can lead to data breaches, data loss, or compromise of the entire application backend.
| Property | |
|---|---|
| Language | java |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
User input is being directly used to build SQL queries by concatenating strings, which can allow attackers to inject malicious SQL commands. This practice is unsafe and should be replaced with parameterized queries to prevent SQL injection.
| Property | |
|---|---|
| Language | java |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
User-supplied input from public methods is being used directly in SQL statements without proper sanitization. This allows attackers to manipulate database queries by injecting malicious SQL code.
If exploited, an attacker could access, modify, or delete sensitive data in the database, bypass authentication, or compromise the entire application. This can lead to data breaches, loss of data integrity, and severe damage to the organization’s reputation.
| Property | |
|---|---|
| Language | java |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
User input is being directly combined into SQL query strings without proper handling. This makes the code vulnerable to SQL injection, where attackers can manipulate database queries by sending specially crafted input. Always use prepared statements or an ORM to safely insert user data into SQL queries.
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
User input is being directly inserted into SQL queries by string concatenation instead of using parameterized queries. This exposes the code to SQL injection attacks because attackers can manipulate input to alter the intended SQL command.