Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input from the AWS Lambda event object is being used directly in Knex raw SQL queries without proper sanitization. This allows attackers to inject malicious SQL code if the input is not safely handled. To prevent this, always use parameterized queries with Knex.
Impact#
If exploited, attackers can manipulate your database by reading, modifying, or deleting data, potentially leading to data breaches, loss of data integrity, or unauthorized access. This can severely compromise the security of your application and expose sensitive information.