SYM_JAVA_0052 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements in Data Query Logic
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-943: Improper Neutralization of Special Elements in Data Query Logic |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
User-controlled or non-constant data is being passed into MongoDB queries using the '$where' operator, which allows execution of arbitrary JavaScript code. This makes the application vulnerable to NoSQL injection attacks if the input is not properly sanitized.
Impact
If exploited, an attacker could inject malicious queries, access or modify unauthorized data, bypass authentication, or execute arbitrary code in the database context. This could lead to data breaches, loss of data integrity, or full compromise of the application's backend database.