SYM_JAVA_0018 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using variables or formatted strings directly in the overrideSql(...) function can introduce untrusted data into SQL queries, making the code vulnerable to SQL injection. Always use constant string literals for SQL statements or properly sanitize and parameterize any dynamic input.
Impact
If exploited, attackers could manipulate SQL queries to access, modify, or delete database data, bypass authentication, or escalate privileges. This can lead to data breaches, loss of data integrity, and compromise of sensitive information within your application.