SYM_JAVA_0134 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description
This code builds SQL queries by directly adding user input (a String) to the query string before passing it to the database. This practice makes the application vulnerable to SQL injection attacks because untrusted input is not safely handled.
Impact
If exploited, an attacker could inject malicious SQL code through input fields, allowing them to access, modify, or delete database data, bypass authentication, or escalate privileges. This can lead to data breaches, loss of sensitive information, and compromise of the entire application.