CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
        • Android
        • Aws-lambda
        • Castor
        • Java-jwt
        • Jax-rs
        • Jboss
        • Jdo
        • Jedis
        • Jjwt
        • Jsch
        • Kryo
        • Lang
        • Micronaut
        • Mongo
        • Mongodb
        • Mysql
        • Okhttp
        • Rmi
        • Servlets
        • Spring
          • Log-http-headers
          • Security
          • Security
            • Audit
            • Audit
            • Castor-deserialization-deepsemgrep
            • Hibernate-sqli
            • Injection
            • Jdbctemplate-sqli
            • Jdo-sqli
            • Jpa-sqli
            • Kryo-deserialization-deepsemgrep
            • Objectinputstream-deserialization-spring
            • Spring-sqli-deepsemgrep
            • Spring-tainted-code-execution
            • Spring-tainted-ldap-injection
            • Spring-tainted-xmldecoder
            • Tainted-ssrf-spring-add
            • Tainted-ssrf-spring-format
            • Xstream-anytype-deserialization-deepsemgrep
            • Xxe
          • Simple-command-injection-direct-input
          • Spring-tainted-path-traversal
          • Tainted-html-string-responsebody
        • Thymeleaf
        • Xstream
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Security

    Audit

    spring-actuator-fully-enabled

    Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    OWASP:
    - A01:2021 - Broken Access Control

    spring-jsp-eval

    A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
    OWASP:
    - A03:2021 - Injection

    spring-sqli

    Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using ‘connection.prepareStatement’.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    spring-actuator-dangerous-endpoints-enabled

    Spring Boot Actuators ”$…ACTUATORS” are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    OWASP:
    - A01:2021 - Broken Access Control

    spring-actuator-fully-enabled-yaml

    Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    OWASP:
    - A01:2021 - Broken Access Control

    spel-injection

    A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-94: Improper Control of Generation of Code (‘Code Injection’)
    OWASP:
    - A03:2021 - Injection

    spring-unvalidated-redirect

    Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
    OWASP:
    - A01:2021 - Broken Access Control

    spring-csrf-disabled

    CSRF protection is disabled for this configuration. This is a security risk.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-352: Cross-Site Request Forgery (CSRF)
    OWASP:
    - A01:2021 - Broken Access Control

    spring-actuator-dangerous-endpoints-enabled-yaml

    Spring Boot Actuator “$ACTUATOR” is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    OWASP:
    - A01:2021 - Broken Access Control
    SecurityCookie serializer secure false
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.