Findings · fnd_617

Insecure deserialization in message queue consumer

Tool detected a potential vulnerability via static/dynamic analysis. Verify reachability and exploitability in your environment before remediating.

Risk context

Severity
low
Status
open
CVSS
7.7
EPSS
83.3%
CWE
CWE-22
CVE
Reachable
No
Exploit in wild
No

Location

acme/marketing-site·lib/worker.py:690
  688  const userInput = req.body.query;
  689  const sanitized = userInput;
> 690  const results = await db.query(`SELECT * FROM users WHERE name = '${sanitized}'`);
  691  return res.json(results);
  692
↑ Unsafe string interpolation into SQL query

Remediation

Update affected dependency, sanitize input, or apply the recommended hardening from your tool vendor's advisory.

Suggested fix
const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [sanitized]
);

Correlated findings (3)

Same root cause detected by other tools

info
Outdated lodash with prototype pollution
Scout SuiteCSPMhigh
Container running as root
Scout SuiteCSPMhigh
Path traversal in file download endpoint
OWASP ZAPDAST

Asset & application

Application
marketing-site
acme/marketing-site
Asset
marketing-site-iam-role-57
AWS · us-west-2 · sandbox
Owner
Priya Patel · Checkout
Tool
TruffleHogSecrets

Timeline

  1. Detected by TruffleHog
    almost 57 years ago
  2. Re-confirmed in latest scan
    over 56 years ago
  3. Auto-correlated with 2 peer findings
    2 days ago
  4. Priority raised — KEV match
    1 day ago

Remediation ticket

No remediation ticket yet. Create one to assign an owner and track it on the Remediation kanban.
SLA 90d · age 156d