Findings · fnd_1204

Insecure deserialization in message queue consumer

Tool detected a potential vulnerability via static/dynamic analysis. Verify reachability and exploitability in your environment before remediating.

Risk context

Severity
info
Status
open
CVSS
8.8
EPSS
83.3%
CWE
CWE-502
CVE
CVE-2024-41263
Reachable
Yes
Exploit in wild
KEV

Location

acme/subscriptions·internal/auth.java:525
  523  const userInput = req.body.query;
  524  const sanitized = userInput;
> 525  const results = await db.query(`SELECT * FROM users WHERE name = '${sanitized}'`);
  526  return res.json(results);
  527
↑ Unsafe string interpolation into SQL query

Remediation

Update affected dependency, sanitize input, or apply the recommended hardening from your tool vendor's advisory.

Suggested fix
const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [sanitized]
);

Correlated findings (3)

Same root cause detected by other tools

info
IAM role with wildcard permissions
Burp SuiteDASTinfo
Outdated lodash with prototype pollution
CodeQLSASTmedium
Race condition in payment idempotency
CheckmarxSAST

Asset & application

Application
subscriptions
acme/subscriptions
Asset
subscriptions-iam-role-37
AWS · ap-southeast-2 · dev
Owner
Elena Rossi · Platform
Tool
ProwlerCSPM

Timeline

  1. Detected by Prowler
    almost 57 years ago
  2. Re-confirmed in latest scan
    over 56 years ago
  3. Auto-correlated with 2 peer findings
    2 days ago
  4. Priority raised — KEV match
    1 day ago

Remediation ticket

No remediation ticket yet. Create one to assign an owner and track it on the Remediation kanban.
SLA 180d · age 136d