Security
command-injection-shell-call
command-injection-shell-call
A call to clojure.java.shell has been found, this could lead to an RCE if the inputs are user-controllable. Please ensure their origin is validated and sanitized.
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
documentbuilderfactory-xxe
documentbuilderfactory-xxe
DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature “http://apache.org/xml/features/disallow-doctype-decl” to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features “http://xml.org/sax/features/external-general-entities” and “http://xml.org/sax/features/external-parameter-entities” to false.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
use-of-md5
use-of-md5
MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-328: Use of Weak Hash
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
use-of-sha1
use-of-sha1
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-328: Use of Weak Hash
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures