CWE-89 是指“SQL命令中使用的特殊元素的不适当中和(SQL Injection)”,这是一种常见的软件安全弱点。以下是针对你问题的详细回答: 解释CWE-89是什么: CWE-89 是一种安全漏洞,它描述了当应用程序将用户输入直接嵌入到SQL查询中,而没有对这些输入进行适当的验证或转义时,可能发生的安全问题。这种不当处理可能导致...
We may come across flaws that flagged for CWE 89 SQL Injection on perfectly parameterized PreparedStatement. Because we realized that, the SQL queries use variables for their table name or column name. For example. Class EmployeeDaoImpl{ Public Employee insertEmp(Employee employee){ .. .. .. /...
CWE-89:SQL注入(SQL Injection) SQL注入是一种常见的网络攻击手法,攻击者通过在用户输入的数据中注入恶意的SQL代码,从而实现对数据库的非授权操作,如删除、修改、查询、添加等。为了防范SQL注入攻击,开发人员应当使用参数化查询或预编译语句,并对用户输入进行严格的验证和过滤。 CWE-20:不正确的输入验证(Improper Inp...
Description A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via...
CWE-89 C/C++ cpp/sql-injection Uncontrolled data in SQL query CWE-114 C/C++ cpp/uncontrolled-process-operation Uncontrolled process operation CWE-118 C/C++ cpp/offset-use-before-range-check Array offset used before range check CWE-118 C/C++ cpp/double-free Potential double free CWE-118 C/C+...
CWE-89 - improperly neutralizing special elements in SQL commands (SQL injection). Severity score: 22.11 CWE-20 - improperly validating input. Severity score: 20.63. CWE-125 - out-of-bounds reading. Severity score: 17.67. CWE-78 - improperly neutralizing special elements in operating system comma...
That looks odd to me, reporting SQL Injection on the `rs.getString()` does not much make sense. Could it be by any chance that there was a small change since the latest Veracode scan which lead to a shift in the line numbers? I would recommend a re-scan to check if the i...
Apex 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Apex 116 The ...
VeraCode报告ServiceStack OrmLite中用于SQL命令(‘Special’) (CWE 89)中的特殊元素的中性不正确前言 在...
CWE-89 C# cs/sql-injection SQL query built from user-controlled sources CWE-90 C# cs/ldap-injection LDAP query built from user-controlled sources CWE-91 C# cs/xml-injection XML injection CWE-91 C# cs/xml/xpath-injection XPath injection CWE-93 C# cs/web/disabled-header-checking Header checki...