A call to clojure.java.shell has been found, this could lead to an RCE if the inputs are user-controllable. Please ensure their origin is validated and sanitized. Likelihood: MEDIUM Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
documentbuilderfactory-xxe
DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature “http://apache.org/xml/features/disallow-doctype-decl” to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features “http://xml.org/sax/features/external-general-entities” and “http://xml.org/sax/features/external-parameter-entities” to false. Likelihood: LOW Confidence: HIGH CWE: - CWE-611: Improper Restriction of XML External Entity Reference
OWASP: - A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
use-of-md5
MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms. Likelihood: MEDIUM Confidence: HIGH CWE: - CWE-328: Use of Weak Hash
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
use-of-sha1
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications. Likelihood: MEDIUM Confidence: HIGH CWE: - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-328: Use of Weak Hash
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures