I have run Zap scanning tool on my Grafana Project. we are using grafana 6.7.3 version.
Zap has reported SQL Injection alert of high severity. Below is detail of Alert -
| High (Medium) | SQL Injection |
|---|---|
| Description | SQL injection may be possible. |
| URL | http://<Ipaddress>/api/users/search?perpage=50&page=1+AND+1%3D1±-+&query= |
| Method | GET |
| Parameter | page |
| Attack | 1 AND 1=1 – |
Could you please let me know the resolution for the same.
Regards,
Abhimanyu
Hello
it seems to be high risk vulnerability under -
can some one respond how to overcome from this vulnerability.
regards,
Abhimanyu
@abhimanyumanocha Did you get any resolution? I am also facing the same.
Has this even been confirmed as a vulnerability, or is it just an automated
checking tool giving a false positive?
Antony.
The above mentioned URL does give the result back confirming SQL injection possible with authorized user
Does anyone has any idea?
Not sure what your question is?
Execution of arbitrary SQL is indeed possible if permissions are not configured properly on the SQL server. This is documented: PostgreSQL | Grafana Labs