SYM_JAVA_0017 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code constructs SQL queries in Slick using string interpolation with formatted variables (e.g., #$variable), which can insert unsanitized user input directly into the SQL statement. This practice can allow attackers to manipulate the query and execute arbitrary SQL commands.
Impact
If exploited, an attacker could perform SQL injection, leading to unauthorized data access, data modification, or even deletion of critical information. This can compromise user data, application integrity, and potentially give attackers full control over the database.