SYM_JSTS_0128 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User input from the AWS Lambda event object is being used directly in Knex raw SQL queries without proper sanitization. This allows attackers to inject malicious SQL code if the input is not safely handled. To prevent this, always use parameterized queries with Knex.
Impact
If exploited, attackers can manipulate your database by reading, modifying, or deleting data, potentially leading to data breaches, loss of data integrity, or unauthorized access. This can severely compromise the security of your application and expose sensitive information.