External Control of System Setting

Description

The application uses user-supplied input in a `java.sql.Connection`'s `setCatalog` call, allowing an adversary to supply a different database for the lifetime of the connection. This could disrupt service or cause the application to behave in unexpected ways.

Examples

Insecure Code

java

java.sql.Connection conn = ...; conn.setCatalog(request.getParameter("catalog"));

Secure Code

java

java.sql.Connection conn = ...; conn.setCatalog("my_catalog");

Remediation

Use a predefined or validated catalog name instead of user-supplied input when setting the catalog for a database connection.

Rule Details

Field	Value
ID	CODE-0729
Category	Injection
Severity	LOW
CWE	CWE-15
Confidence	HIGH
Impact	LOW
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	injection, sql
OWASP	A1:2017-Injection, A03:2021-Injection

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

External Control of System Setting

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

External Control of System Setting ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

External Control of System Setting

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details