Unsanitized user input in SQL catalog configuration

Overview

Rule ID: java_lang_information_leakage
Applicable Languages: Java
Weakness ID: CWE-15

Description

Using unsanitized user input to configure a SQL Connection's catalog can lead to serious security vulnerabilities. Attackers can manipulate the catalog name in the setCatalog method, potentially causing harmful or unintended actions within the application.

Remediation Guidelines

Do not use direct user input for setting the SQL database's catalog. Always sanitize or validate input before using it in your database configuration.

References

Java SQL Connection
CWE-15: External Control of System or Configuration Setting
OWASP Top 10: A05:2021 - Security Misconfiguration

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized User Input in Regular Expression NextUnsanitized user input in XML External Entity

Last updated 3 months ago