SYM_PY_0104 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements in Data Query Logic
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-943: Improper Neutralization of Special Elements in Data Query Logic |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
User input from the event object is being used directly in DynamoDB query filters without validation or sanitization. This allows attackers to manipulate queries by injecting malicious data into filter parameters.
Impact
An attacker could craft requests that alter database queries, potentially exposing, modifying, or deleting data they shouldn't have access to. This can lead to data breaches, unauthorized access, or disruption of business operations.