bmattoso desafio_buzz_woody sql injection

Vulnerability

The repository bmattoso/desafio_buzz_woody contains a SQL injection vulnerability in the Database class, specifically within the execute method. The original code used a Statement object, constructing SQL queries directly from user-supplied input without sanitization, leading to classic SQL injection. The affected code is in the src/main/java/com/dextra/injectit/database/Database.java file. The repository was archived and made read-only on June 5, 2018, and there is no explicit version mentioned; the vulnerability exists in all versions prior to the commit cb8220cbae06082c969b1776fcb2fdafb3a1006b. [1]

Exploitation

An attacker must be able to provide input that reaches the vulnerable execute method, which is used for database queries. The attack does not require prior authentication, as the input is likely passed from a public-facing endpoint. The attacker can craft malicious SQL payloads in the input parameters, which will be executed against the database. The original code uses Statement.execute(sql) without parameterization, allowing arbitrary SQL commands to be injected. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries on the database. Depending on the database configuration and permissions, this could lead to unauthorized reading, writing, or deletion of data, privilege escalation, and potentially full database compromise. The CIA impact is High for confidentiality, integrity, and availability if the database contains sensitive information. [1]

Mitigation

The fix is available in commit cb8220cbae06082c969b1776fcb2fdafb3a1006b, which changes the code to use PreparedStatement with parameterized queries, effectively preventing SQL injection. The repository is archived and read-only, so users who have forked or downloaded the code should apply the patch manually. No workaround is provided in the references. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV). [1]