106 – NoSQL injection

Description

The system generates NoSQL queries dynamically and without validating untrusted inputs.

Impact

Obtain information from the environment by means of malicious statements.

Recommendation

Validate and escape data that will be included in sentences generated dynamically.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

45 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 169 - Use parameterized queries
• 173 - Discard unsafe inputs

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/13