Lang
Security
xmlinputfactory-possible-xxe
xmlinputfactory-possible-xxe
XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting “javax.xml.stream.isSupportingExternalEntities” to false.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
do-privileged-use
do-privileged-use
Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design
httpservlet-path-traversal
httpservlet-path-traversal
Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with ’../’. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(…) to only retrieve the file name from the path.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
jackson-unsafe-deserialization
jackson-unsafe-deserialization
When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A8:2017 Insecure Deserialization
- A8:2021 Software and Data Integrity Failures
$JSON it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using “Per-class” annotations) and avoid using Object and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A8:2017 Insecure Deserialization
- A8:2021 Software and Data Integrity Failures
insecure-jms-deserialization
insecure-jms-deserialization
JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
servletresponse-writer-xss
servletresponse-writer-xss
Cross-site scripting detected in HttpServletResponse writer with variable ‘VAR)’.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
xmlinputfactory-external-entities-enabled
xmlinputfactory-external-entities-enabled
XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting “javax.xml.stream.isSupportingExternalEntities” to false.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
use-snakeyaml-constructor
use-snakeyaml-constructor
Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(…) constructor instead, with SafeConstructor or a custom Constructor as the argument.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures