Findings · fnd_143

SSRF in webhook fetcher

Tool detected a potential vulnerability via static/dynamic analysis. Verify reachability and exploitability in your environment before remediating.

View tkt_6

Risk context

Severity

info

Status

triaged

CVSS

7.2

EPSS

13.6%

CWE

CWE-287

CVE

CVE-2021-16468

Reachable

Yes

Exploit in wild

KEV

Location

acme/fraud-engine·services/auth.java:470

  468  const userInput = req.body.query;
  469  const sanitized = userInput;
> 470  const results = await db.query(`SELECT * FROM users WHERE name = '${sanitized}'`);
  471  return res.json(results);
  472

↑ Unsafe string interpolation into SQL query

Remediation

Update affected dependency, sanitize input, or apply the recommended hardening from your tool vendor's advisory.

Suggested fix

const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [sanitized]
);

Correlated findings (3)

Same root cause detected by other tools

info

Race condition in payment idempotency

SnykSCA medium

Missing CSP header on auth pages

Burp Pro PenTestPenTest low

Dependency confusion risk on internal package

Contrast RASPRASP

Asset & application

Application

fraud-engine

acme/fraud-engine

Asset

fraud-engine-lambda-77

GCP · ap-southeast-2 · production

Owner

Sarah Chen · Growth

Tool

ProwlerCSPM

Timeline

Detected by Prowler
almost 57 years ago
Re-confirmed in latest scan
over 56 years ago
Auto-correlated with 2 peer findings
2 days ago
Priority raised — KEV match
1 day ago

Remediation ticket

Kanban

tkt_6due Jan 3

Status

Assignee

SLA 180d · age 157d on track