Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code builds SQL queries by concatenating or formatting strings with user input when using Hibernate. This allows attackers to inject malicious SQL code if inputs are not properly handled. Using prepared statements prevents this risk.
Impact#
If exploited, an attacker could run arbitrary SQL commands against your database—stealing, modifying, or deleting data, bypassing authentication, or compromising the entire application. This can result in data breaches, data loss, and serious damage to your organization’s reputation and security.