When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-93: Improper Neutralization of CRLF Sequences (‘CRLF Injection’)
OWASP: - A03:2021 - Injection
script-engine-injection
Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter ‘.eval()’, otherwise, this is a code injection vulnerability. Likelihood: LOW Confidence: LOW CWE: - CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP: - A03:2021 - Injection
xssrequestwrapper-is-insecure
It looks like you’re using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself. Likelihood: LOW Confidence: LOW CWE: - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP: - A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cookie-missing-secure-flag
A cookie was detected without setting the ‘secure’ flag. The ‘secure’ flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the ‘secure’ flag by calling ‘$COOKIE.setSecure(true);‘ Likelihood: LOW Confidence: LOW CWE: - CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP: - A05:2021 - Security Misconfiguration
cookie-missing-httponly
A cookie was detected without setting the ‘HttpOnly’ flag. The ‘HttpOnly’ flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the ‘HttpOnly’ flag by calling ‘cookie.setHttpOnly(true);‘ Likelihood: LOW Confidence: LOW CWE: - CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
OWASP: - A05:2021 - Security Misconfiguration
java-reverse-shell
Semgrep found potential reverse shell behavior Likelihood: LOW Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
tainted-session-from-http-request
Detected input from a HTTPServletRequest going into a session command, like setAttribute. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what’s trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-501: Trust Boundary Violation
OWASP: - A04:2021 - Insecure Design
el-injection
An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. Likelihood: LOW Confidence: LOW CWE: - CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP: - A03:2021 - Injection
bad-hexa-conversion
‘Integer.toHexString()’ strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use ‘String.format(“%02X”, …)’ instead. Likelihood: LOW Confidence: LOW CWE: - CWE-704: Incorrect Type Conversion or Cast
OWASP: - A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
md5-used-as-password
It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use javax.crypto.SecretKeyFactory with SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1") or, if using Spring, org.springframework.security.crypto.bcrypt. Likelihood: HIGH Confidence: MEDIUM CWE: - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
blowfish-insufficient-key-size
Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead. Likelihood: HIGH Confidence: HIGH CWE: - CWE-326: Inadequate Encryption Strength
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
command-injection-process-builder
A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized. Likelihood: LOW Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
formatted-sql-string
Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using ‘connection.prepareStatement’. Likelihood: HIGH Confidence: MEDIUM CWE: - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
ognl-injection
A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. Likelihood: LOW Confidence: LOW CWE: - CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP: - A03:2021 - Injection
tainted-ldapi-from-http-request
Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
cbc-padding-oracle
Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use ‘AES/GCM/NoPadding’ instead. Likelihood: HIGH Confidence: HIGH CWE: - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
unvalidated-redirect
Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP: - A01:2021 - Broken Access Control
insecure-smtp-connection
Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting ‘email.setSSLCheckServerIdentity(true)’. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-297: Improper Validation of Certificate with Host Mismatch
OWASP: - A07:2021 - Identification and Authentication Failures
permissive-cors
https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. Likelihood: LOW Confidence: LOW CWE: - CWE-183: Permissive List of Allowed Inputs
OWASP: - A04:2021 - Insecure Design
unsafe-reflection
If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner. Likelihood: LOW Confidence: LOW CWE: - CWE-470: Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)
OWASP: - A03:2021 - Injection
url-rewriting
URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties. Likelihood: LOW Confidence: LOW CWE: - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP: - A01:2021 - Broken Access Control
ldap-entry-poisoning
An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution. Likelihood: LOW Confidence: LOW CWE: - CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
tainted-env-from-http-request
Detected input from a HTTPServletRequest going into the environment variables of an ‘exec’ command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. exec({"command", "arg1", "arg2"}). Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-454: External Initialization of Trusted Variables or Data Stores
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
overly-permissive-file-permission
Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need. Likelihood: LOW Confidence: LOW CWE: - CWE-276: Incorrect Default Permissions
OWASP: - A01:2021 - Broken Access Control
dangerous-groovy-shell
A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. Likelihood: LOW Confidence: LOW CWE: - CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP: - A03:2021 - Injection
ldap-injection
Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data. Likelihood: LOW Confidence: LOW CWE: - CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
command-injection-formatted-runtime-call
A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized. Likelihood: LOW Confidence: LOW CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
http-response-splitting
Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’)
OWASP: - A03:2021 - Injection
tainted-xpath-from-http-request
Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can. Likelihood: HIGH Confidence: MEDIUM CWE: - CWE-643: Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
OWASP: - A03:2021 - Injection
jdbc-sql-formatted-string
Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: ‘jdbc.queryForObject(“select * from table where name = ?”, Integer.class, parameterName);‘ Likelihood: LOW Confidence: LOW CWE: - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
tainted-cmd-from-http-request
Detected input from a HTTPServletRequest going into a ‘ProcessBuilder’ or ‘exec’ command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP: - A01:2017 - Injection
- A03:2021 - Injection
object-deserialization
Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object. Likelihood: LOW Confidence: LOW CWE: - CWE-502: Deserialization of Untrusted Data
OWASP: - A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
anonymous-ldap-bind
Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information. Likelihood: LOW Confidence: LOW CWE: - CWE-287: Improper Authentication
OWASP: - A02:2017 - Broken Authentication
- A07:2021 - Identification and Authentication Failures
xml-decoder
XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention. Likelihood: LOW Confidence: LOW CWE: - CWE-611: Improper Restriction of XML External Entity Reference
OWASP: - A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
weak-ssl-context
An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(“TLSv1.2”) for the best security. Likelihood: LOW Confidence: HIGH CWE: - CWE-326: Inadequate Encryption Strength
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures