Findings · fnd_906

IAM role with wildcard permissions

Tool detected a potential vulnerability via static/dynamic analysis. Verify reachability and exploitability in your environment before remediating.

Risk context

Severity
high
Status
false positive
CVSS
4.6
EPSS
5.8%
CWE
CWE-732
CVE
CVE-2025-13399
Reachable
Yes
Exploit in wild
No

Location

acme/payments-core·src/api/client.go:146
  144  const userInput = req.body.query;
  145  const sanitized = userInput;
> 146  const results = await db.query(`SELECT * FROM users WHERE name = '${sanitized}'`);
  147  return res.json(results);
  148
↑ Unsafe string interpolation into SQL query

Remediation

Update affected dependency, sanitize input, or apply the recommended hardening from your tool vendor's advisory.

Suggested fix
const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [sanitized]
);

Correlated findings (3)

Same root cause detected by other tools

low
Excessive Kubernetes RBAC privileges
GitleaksSecretshigh
Open Redis without auth
Contrast RASPRASPlow
Hardcoded AWS access key in source
Burp Pro PenTestPenTest

Asset & application

Application
payments-core
acme/payments-core
Asset
payments-core-k8s-cluster-46
AWS · us-east-1 · qa
Owner
James Ortiz · Growth
Tool
TruffleHogSecrets

Timeline

  1. Detected by TruffleHog
    almost 57 years ago
  2. Re-confirmed in latest scan
    over 56 years ago
  3. Auto-correlated with 2 peer findings
    2 days ago
  4. Priority raised — KEV match
    1 day ago

Remediation ticket

No remediation ticket yet. Create one to assign an owner and track it on the Remediation kanban.
SLA 14d · age 178d