Findings · fnd_2266

Missing rate limiting on /login

Tool detected a potential vulnerability via static/dynamic analysis. Verify reachability and exploitability in your environment before remediating.

Risk context

Severity
medium
Status
accepted
CVSS
4
EPSS
10.8%
CWE
CWE-862
CVE
CVE-2021-16385
Reachable
Yes
Exploit in wild
KEV

Location

acme/ledger·services/client.go:658
  656  const userInput = req.body.query;
  657  const sanitized = userInput;
> 658  const results = await db.query(`SELECT * FROM users WHERE name = '${sanitized}'`);
  659  return res.json(results);
  660
↑ Unsafe string interpolation into SQL query

Remediation

Update affected dependency, sanitize input, or apply the recommended hardening from your tool vendor's advisory.

Suggested fix
const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [sanitized]
);

Correlated findings (3)

Same root cause detected by other tools

high
Insecure deserialization in message queue consumer
TruffleHogSecretslow
Container running as root
Burp SuiteDASTlow
Container running as root
Burp SuiteDAST

Asset & application

Application
ledger
acme/ledger
Asset
ledger-iam-role-44
GCP · eu-central-1 · qa
Owner
James Ortiz · Checkout
Tool
SemgrepSAST

Timeline

  1. Detected by Semgrep
    almost 57 years ago
  2. Re-confirmed in latest scan
    over 56 years ago
  3. Auto-correlated with 2 peer findings
    2 days ago
  4. Priority raised — KEV match
    1 day ago

Remediation ticket

No remediation ticket yet. Create one to assign an owner and track it on the Remediation kanban.
SLA 30d · age 155d