112 – SQL injection - Java SQL API
Description
Dynamic SQL statements are generated without the required data validation and without using parameterized statements or stored procedures.
Impact
Inject SQL statements, with the possibility of obtaining information about the database, as well as extract information from it.
Recommendation
Perform queries to the database through sentences or parameterized procedures. Alternatively, use escape(String) built-in function.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: H
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): L
- Availability (VA): L
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P