Findings · fnd_1179

JWT signed with weak HS256 secret

Tool detected a potential vulnerability via static/dynamic analysis. Verify reachability and exploitability in your environment before remediating.

Risk context

Severity
critical
Status
open
CVSS
5.7
EPSS
67.7%
CWE
CWE-89
CVE
Reachable
No
Exploit in wild
KEV

Location

acme/billing-svc·services/auth.java:491
  489  const userInput = req.body.query;
  490  const sanitized = userInput;
> 491  const results = await db.query(`SELECT * FROM users WHERE name = '${sanitized}'`);
  492  return res.json(results);
  493
↑ Unsafe string interpolation into SQL query

Remediation

Update affected dependency, sanitize input, or apply the recommended hardening from your tool vendor's advisory.

Suggested fix
const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [sanitized]
);

Correlated findings (3)

Same root cause detected by other tools

info
Missing CSP header on auth pages
Scout SuiteCSPMlow
Terraform module pins old AMI with CVEs
WizCSPMlow
Insecure deserialization in message queue consumer
CodeQLSAST

Asset & application

Application
billing-svc
acme/billing-svc
Asset
billing-svc-vm-45
GCP · eu-west-1 · production
Owner
Priya Patel · Data
Tool
WizCSPM

Timeline

  1. Detected by Wiz
    almost 57 years ago
  2. Re-confirmed in latest scan
    almost 57 years ago
  3. Auto-correlated with 2 peer findings
    2 days ago
  4. Priority raised — KEV match
    1 day ago

Remediation ticket

No remediation ticket yet. Create one to assign an owner and track it on the Remediation kanban.
SLA 7d · age 160d