SYM_GO_0057 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
Your code is building SQL queries using values taken directly from the AWS Lambda $EVENT object without proper sanitization. This approach allows user-controlled input to be included in SQL statements, making the application vulnerable to SQL injection.
Impact
If exploited, an attacker could manipulate database queries to access, modify, or delete data, bypass authentication, or execute administrative operations. This could lead to data breaches, data loss, or compromise of the entire application backend.