SYM_PY_0071 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
User input is being directly concatenated into SQL queries in asyncpg without proper sanitization or parameterization. This practice allows attackers to manipulate the database query and potentially run unintended SQL commands.
Impact
If exploited, attackers could read, modify, or delete sensitive database data, escalate privileges, or compromise the entire application. This can lead to data breaches, data loss, and significant harm to the application's integrity and security.