-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Findings for High #12
Comments
Finding [141965050|https://app.armorcode.com/#/findings/185/656/141965050] status changed from Open to Confirmed |
Finding [141965073|https://app.armorcode.com/#/findings/185/656/141965073] status changed from Open to Confirmed |
Finding [141965002|https://app.armorcode.com/#/findings/185/656/141965002] status changed from Open to Confirmed |
Finding [141965075|https://app.armorcode.com/#/findings/185/656/141965075] status changed from Open to Confirmed |
Finding [141965057|https://app.armorcode.com/#/findings/185/656/141965057] status changed from Open to Confirmed |
Finding [141965049|https://app.armorcode.com/#/findings/185/656/141965049] status changed from Open to Confirmed |
Finding [141965053|https://app.armorcode.com/#/findings/185/656/141965053] status changed from Open to Confirmed |
Finding [141965061|https://app.armorcode.com/#/findings/185/656/141965061] status changed from Open to Confirmed |
Finding [141965078|https://app.armorcode.com/#/findings/185/656/141965078] status changed from Open to Confirmed |
Finding [141965074|https://app.armorcode.com/#/findings/185/656/141965074] status changed from Open to Confirmed |
Finding [141965056|https://app.armorcode.com/#/findings/185/656/141965056] status changed from Open to Confirmed |
Finding [141964999|https://app.armorcode.com/#/findings/185/656/141964999] status changed from Open to Confirmed |
Finding [141965013|https://app.armorcode.com/#/findings/185/656/141965013] status changed from Open to Confirmed |
Finding [141965040|https://app.armorcode.com/#/findings/185/656/141965040] status changed from Open to Confirmed |
Finding [141965076|https://app.armorcode.com/#/findings/185/656/141965076] status changed from Open to Confirmed |
Finding [141965072|https://app.armorcode.com/#/findings/185/656/141965072] status changed from Open to Confirmed |
Finding [141965068|https://app.armorcode.com/#/findings/185/656/141965068] status changed from Open to Confirmed |
Finding [141965059|https://app.armorcode.com/#/findings/185/656/141965059] status changed from Open to Confirmed |
Finding [141965069|https://app.armorcode.com/#/findings/185/656/141965069] status changed from Open to Confirmed |
Finding [141965027|https://app.armorcode.com/#/findings/185/656/141965027] status changed from Open to Confirmed |
Finding [141965014|https://app.armorcode.com/#/findings/185/656/141965014] status changed from Open to Confirmed |
Finding [141965018|https://app.armorcode.com/#/findings/185/656/141965018] status changed from Open to Confirmed |
Finding [141965024|https://app.armorcode.com/#/findings/185/656/141965024] status changed from Open to Confirmed |
Finding [141965015|https://app.armorcode.com/#/findings/185/656/141965015] status changed from Open to Confirmed |
Finding [141965041|https://app.armorcode.com/#/findings/185/656/141965041] status changed from Open to Confirmed |
Finding [141965021|https://app.armorcode.com/#/findings/185/656/141965021] status changed from Open to Confirmed |
Finding [141965010|https://app.armorcode.com/#/findings/185/656/141965010] status changed from Open to Confirmed |
Finding [141965023|https://app.armorcode.com/#/findings/185/656/141965023] status changed from Open to Confirmed |
Finding [141965058|https://app.armorcode.com/#/findings/185/656/141965058] status changed from Open to Confirmed |
Finding [141965019|https://app.armorcode.com/#/findings/185/656/141965019] status changed from Open to Confirmed |
Finding [141965016|https://app.armorcode.com/#/findings/185/656/141965016] status changed from Open to Confirmed |
Finding [141965020|https://app.armorcode.com/#/findings/185/656/141965020] status changed from Open to Confirmed |
Finding [141965025|https://app.armorcode.com/#/findings/185/656/141965025] status changed from Open to Confirmed |
Finding [141965017|https://app.armorcode.com/#/findings/185/656/141965017] status changed from Open to Confirmed |
Finding [141965086|https://app.armorcode.com/#/findings/185/656/141965086] status changed from Open to Confirmed |
Finding [141965022|https://app.armorcode.com/#/findings/185/656/141965022] status changed from Open to Confirmed |
Finding [141965035|https://app.armorcode.com/#/findings/185/656/141965035] status changed from Open to Confirmed |
Finding [141965070|https://app.armorcode.com/#/findings/185/656/141965070] status changed from Open to Confirmed |
Finding [141965046|https://app.armorcode.com/#/findings/185/656/141965046] status changed from Open to Confirmed |
Finding [141965088|https://app.armorcode.com/#/findings/185/656/141965088] status changed from Open to Confirmed |
Finding [141965080|https://app.armorcode.com/#/findings/185/656/141965080] status changed from Open to Confirmed |
Finding [141965012|https://app.armorcode.com/#/findings/185/656/141965012] status changed from Open to Confirmed |
Finding [141965008|https://app.armorcode.com/#/findings/185/656/141965008] status changed from Open to Confirmed |
Finding [141965089|https://app.armorcode.com/#/findings/185/656/141965089] status changed from Open to Confirmed |
Finding [141965043|https://app.armorcode.com/#/findings/185/656/141965043] status changed from Open to Confirmed |
Finding [151108794|https://app.armorcode.com/#/findings/185/656/151108794] status changed from Open to Confirmed |
Finding [160096061|https://app.armorcode.com/#/findings/185/656/160096061] status changed from Open to Confirmed |
Findings for High
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
References:
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
References:
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
References:
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
References:
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files. A patch exists as of version 2.5.22.
References:
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
References:
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
References:
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
References:
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
References:
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
References:
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
References:
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
References:
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
References:
DOMDeserializer
: setExpandEntityReferences(false) may not prevent external entity expansion in all cases [CVE-2020-25649] FasterXML/jackson-databind#2589An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
References:
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
References:
ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings. Applying better regex which includes pattern to exclude request parameters trying to use top object. This issue was patched in Struts 2.3.24.1.
References:
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
References:
Apache Struts contains a Remote Code Execution when using results with no namespace and it's upper actions have no or wildcard namespace. The same flaw exists when using a url tag with no value, action set, and it's upper actions have no or wildcard namespace.
References:
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
References:
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
References:
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
References:
The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class
ignite-jta
.References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
References:
A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks.
both the s:url and s:a tag provide an includeParams attribute.
The main scope of that attribute is to understand whether includes http request parameter or not.
The allowed values of includeParams are:
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.
The second evaluation happens when the URL/A tag tries to resolve every parameters present in the original request.
This lets malicious users put arbitrary OGNL statements into any request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.
The issue was originally addressed by Struts 2.3.14.1 and Security Announcement S2-013. However, the solution introduced with 2.3.14.1 did not address all possible attack vectors, such that every version of Struts 2 before 2.3.14.2 is still vulnerable to such attacks.
References:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
References:
This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
References:
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. In Struts 2.3.20.1 a better set of exlude patterns was defined.
References:
FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
References:
In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
References:
BeanDeserializer._deserializeFromArray()
to prevent use of deeply nested arrays [CVE-2022-42004] FasterXML/jackson-databind#3582Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
References:
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
References:
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
References:
A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
References:
jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.
References:
UntypedObjectDeserializer
wrt recursion [CVE-2020-36518] FasterXML/jackson-databind#2816In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.
References:
UNWRAP_SINGLE_VALUE_ARRAYS
[CVE-2022-42003] FasterXML/jackson-databind#3590A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
References:
The text was updated successfully, but these errors were encountered: