SQL injection vulnerabilities proceed to plague provide chains, prompting a joint alert from the Cybersecurity and Infrastructure Safety Company (CISA) and the Federal Bureau of Investigation (FBI) on creating safer software program merchandise.
CISA and the FBI mentioned this week that the brand new Safe by Design steerage is in direct response to the latest broad exploitation of an SQLi defect within the MoveIT file switch software.
SQL injection vulnerabilities permit menace actors to inject their very own knowledge into SQL instructions, permitting them to carry out arbitrary queries to entry delicate info contained in the database.
“Regardless of widespread data and documentation of SQLi vulnerabilities over the previous twenty years, together with the supply of efficient mitigations, software program producers proceed to develop merchandise with this defect, which places many purchasers in danger,” the joint Safe by Design Alert mentioned. “Vulnerabilities like SQLi have been thought of by others an ‘unforgivable’ vulnerability since at the least 2007. Regardless of this discovering, SQL vulnerabilities (comparable to CWE-89) are nonetheless a prevalent class of vulnerability.”
