Detected non-constant data passed into a NoSQL query using the ‘where’ evaluation operator. If this data can be controlled by an external user, this is a NoSQL injection. Ensure data passed to the NoSQL query is not user controllable, or properly sanitize the data. Ideally, avoid using the ‘where’ operator at all and instead use the helper methods provided by com.mongodb.client.model.Filters with comparative operators such as eq, ne, lt, gt, etc.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-943: Improper Neutralization of Special Elements in Data Query Logic
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection