SQL injection vulnerabilities continue to plague supply chains, prompting the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to issue a joint warning about developing more secure software products.
CISA and the FBI said this week that the new Secure by Design guidance is a direct response to the recent widespread exploitation of an SQLi defect In the MoveIT file transfer application.
SQL injection vulnerabilities allow threat actors to inject their own data into SQL commands, allowing them to execute arbitrary queries to access sensitive information within the database.
“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective fixes, software vendors continue to develop products with this flaw, which puts many customers at risk,” the researcher said. Safe joint thanks to design alert She said. “Vulnerabilities such as SQLi have been considered by others to be an ‘unforgivable’ vulnerability since at least 2007. Despite this finding, SQL vulnerabilities (such as CWE-89) are still a prevalent class of vulnerability.”