SYM_PY_0244 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Building SQL queries by concatenating or formatting user input into strings and passing them to sqlalchemy.text() can allow attackers to inject malicious SQL code. This approach bypasses SQLAlchemy's built-in protections, making your code vulnerable to SQL injection.
Impact
If exploited, an attacker could execute arbitrary SQL commands against your database, potentially leading to data theft, data manipulation, or deletion. This could compromise sensitive information, disrupt application functionality, or even result in a complete database breach.