SYM_JAVA_0089 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code builds SQL queries by concatenating or formatting strings with user input before executing them with JDBC methods. This practice allows attackers to inject malicious SQL, putting your database at risk.
Impact
If exploited, an attacker could access, modify, or delete sensitive data in your database, bypass authentication, or execute administrative operations. This can lead to data breaches, data loss, or full compromise of the application's backend.