DerScanner
Home / Vulnerability Database / Java : SQL injection: parameter tampering
Java

Java : SQL injection: parameter tampering

Classification

OWASP Top 10 2013
A1-InjectionA4-Insecure Direct Object References
OWASP Top 10 2017
A1-Injection
OWASP Top 10 2021
A3-InjectionA4-Insecure Design
OWASP ASVS
Validation, Sanitization and EncodingValidation, Sanitization and EncodingValidation, Sanitization and EncodingValidation, Sanitization and EncodingAccess ControlAccess ControlAccess ControlAccess Control
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (a)(1)§164.312 (d)
CWE
CWE-20CWE-89CWE-639CWE-807CWE-840CWE-1027CWE-1030
CWE/SANS Top 25 2011
CWE-89CWE-807
CWE/SANS Top 25 2021
CWE-20CWE-89

Overview

The application executes an SQL query using a parameter received from the user without additional filtering. An attacker could gain access to information about other users. With such a direct request for information, for example, by bank account number, an attacker can steal confidential information (for example, a bank account balance) using a direct link to the object.

References

  1. Top 10 2013-A4-Insecure Direct Object References
  2. OWASP Top 10 2017-A1-Injection
  3. OWASP: SQL Injection
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
  5. CWE-1030
  6. CWE-639
  7. CWE-89
LOW

DerScanner Severity Score

Do you want to fix Java : SQL injection: parameter tampering in your application?

See also

Java

Java : Race condition

Java

Java : Text4Shell Vulnerability

Java

Java : JNI usage