Impact

The vulnerability is a SQL Injection (CWE-89). This allows an attacker to manipulate SQL queries by injecting arbitrary SQL commands through unsanitized input fields. Any system that processes database queries based on user input is potentially at risk. Attackers could exploit this vulnerability to view, modify, or delete sensitive data, or potentially execute administrative operations on the database.

Affected parties include:

• Applications relying on user input for database operations.
• Systems where input sanitization or parameterized queries are not properly implemented.

Patches

Current version

Workarounds

If upgrading is not possible, you can apply the following mitigations:

• Ensure all database queries use parameterized queries or prepared statements.
• Sanitize and validate all user inputs to avoid direct insertion into SQL queries.

References:

• CWE-89: SQL Injection: https://cwe.mitre.org/data/definitions/89.html
• OWASP SQL Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
• Database query built from user-controlled sources: https://github.com/arifai/zenith/security/code-scanning/1