sonatype-nexus-community / codetocloud-workshop Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
WebGoatUser.java appears to hold passwords in plain text for longer than absolutely necessary. Should take password and immediately hash it for comparison to DB.
The zxcvbn
library uses unsafe regular expressions that can be exploited by specific payloads to consume extreme server resources, leading to a Denial of Service. Steps should be taken to limit the impact if this vulnerability is exploited.
SecurePasswordsAssignment.java
imports from zxcvbn
leading to the vulnerability. There is no recommendation for an update, other possible remediations could be:
zxcvbn
zxcvbn
completely and use a different library that is not vulnerablezxcvbn
and limit the resources any execution is allowed to consume.None, based on vulnerability report here
Exploitation could lead to Denial of Service
codetocloud-workshop/config/dependency-check/project-suppression.xml
Lines 51 to 68 in 96ba5c7
Should check if later image tags resolve these issues.
Otherwise figure out if another base image also works
docker.io/eclipse-temurin:19-jre-focal (ubuntu 20.04)
=====================================================
Total: 107 (UNKNOWN: 0, LOW: 67, MEDIUM: 40, HIGH: 0, CRITICAL: 0)
This Base image is used in ./Dockerfile
Github actions uses tumerin 17
Dockerfile uses tumerin 19
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
The underscore package is vulnerable to Code Injection. The template function in underscore.js and template.js does not properly validate the variable property of the settings parameter to ensure it is a bare identifier. An attacker can exploit this by inputting malicious code to the variable property that would then be rendered and executed.
Primary cause is due to the following files:
underscore-1.10.2.tgzpackage/underscore-min.js[1.3.2, 1.12.1)
underscore-1.10.2.tgzpackage/underscore.js[1.3.2, 1.12.1)
underscore-1.10.2.tgzpackage/modules/index.js[1.10.0, 1.11.0)
Issues will be present when built with the following modules.
The service will be impacted and the DB's hosted on it will be prone to code injection.
Unsanitized input from an HTTP parameter flows into prepareStatement, where it is used in an SQL query. This may result in an SQL Injection vulnerability.
Some of them:
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.javaOpen this link in a new tab
Details
In an SQL injection attack, the user can submit an SQL query directly to the database, gaining access without providing appropriate credentials. Attackers can then view, export, modify, and delete confidential information; change passwords and other authentication information; and possibly gain access to other systems within the network. This is one of the most commonly exploited categories of vulnerability, but can largely be avoided through good coding practices.
Avoid passing user-entered parameters directly to the SQL server.
Avoid using string concatenation to build SQL queries from user-entered parameters.
When coding, define SQL code first, then pass in parameters. Use prepared statements with parameterized queries. Examples include SqlCommand() in .NET and bindParam() in PHP.
Use strong typing for all parameters so unexpected user data will be rejected.
Where direct user input cannot be avoided for performance reasons, validate input against a very strict allowlist of permitted characters, avoiding special characters such as ? & / < > ; - ' " \ and spaces. Use a vendor-supplied escaping routine if possible.
Develop your application in an environment and/or using libraries that provide protection against SQL injection.
Harden your entire environment around a least-privilege model, ideally with isolated accounts with privileges only for particular tasks.
codetocloud-workshop/Dockerfile
Line 3 in 96ba5c7
HIGH: MAINTAINER should not be used: 'MAINTAINER "WebGoat team"'
Some of the static JavaScript libs included for the frontend include vulnerabilities including template injection. These dependencies should be kept up to date to prevent attacks.
None, based on CVE reports only
These are old libraries and represent many known CVEs with various threat levels, but include Template Injection, XSS and Prototype Injection attacks
When a cookie has the SameSite=Lax attribute, it means that the cookie will be sent along with cross-origin GET requests initiated by third-party websites.
Multiple CVEs open for Xstream, including http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285
Upgrading to 1.4.20 will cause breaking changes that will need to be addressed.
Our Java version is stuck at 17.0.6 which does contain CVE vulnerabilities
https://security.snyk.io/package/linux/oracle:8/java-17-openjdk) in Dockerfile_desktop
Read Dockerfile_desktop :)
High
XStream does not provide security checks when creating Java objects. When untrusted data is processed, an attacker can provide crafted data that allows arbitrary code execution resulting in access to the host system that is only limited by the privileges of the running application.
The application is vulnerable by using this component as it is outdated.
Complete instructions, including specific configuration details, to reproduce the vulnerability.
High vulnerability that could potential impact everyone company wide
pom.xml (pom)
=============
Total: 60 (UNKNOWN: 1, LOW: 0, MEDIUM: 11, HIGH: 34, CRITICAL: 14)
┌─────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬───────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.fasterxml.jackson.core:jackson-databind │ CVE-2022-42003 │ HIGH │ 2.13.3 │ 2.12.7.1, 2.13.4.1 │ deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-42003 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-42004 │ │ │ 2.12.7.1, 2.13.4 │ use of deeply nested arrays │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-42004 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.google.guava:guava │ CVE-2023-2976 │ MEDIUM │ 31.1-jre │ 32.0.0 │ Guava vulnerable to insecure use of temporary directory │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2976 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.thoughtworks.xstream:xstream │ CVE-2013-7285 │ CRITICAL │ 1.4.5 │ 1.4.7 │ XStream: remote code execution due to insecure XML │
│ │ │ │ │ │ deserialization │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2013-7285 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21342 │ │ │ 1.4.16 │ XStream: SSRF via crafted input stream │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21342 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21344 │ │ │ │ XStream: Unsafe deserizaliation of │
│ │ │ │ │ │ javax.sql.rowset.BaseRowSet │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21344 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21345 │ │ │ │ XStream: Unsafe deserizaliation of │
│ │ │ │ │ │ com.sun.corba.se.impl.activation.ServerTableEntry │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21345 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21346 │ │ │ │ XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21346 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21347 │ │ │ │ XStream: Unsafe deserizaliation of │
│ │ │ │ │ │ com.sun.tools.javac.processing.JavacProcessingEnvironment │
│ │ │ │ │ │ NameProcessIterator │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21347 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21350 │ │ │ │ XStream: Unsafe deserizaliation of │
│ │ │ │ │ │ com.sun.org.apache.bcel.internal.util.ClassLoader │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21350 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21351 │ │ │ │ XStream: allow a remote attacker to load and execute │
│ │ │ │ │ │ arbitrary code from... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21351 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2016-3674 │ HIGH │ │ 1.4.9 │ enabled processing of external entities │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-3674 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2017-7957 │ │ │ 1.4.10 │ XStream: DoS when unmarshalling void type │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-7957 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-26217 │ │ │ 1.4.14 │ XStream: remote code execution due to insecure XML │
│ │ │ │ │ │ deserialization when relying on... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26217 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-26258 │ │ │ 1.4.15 │ XStream: Server-Side Forgery Request vulnerability can be │
│ │ │ │ │ │ activated when unmarshalling │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26258 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21341 │ │ │ 1.4.16 │ XStream: allow a remote attacker to cause DoS only by │
│ │ │ │ │ │ manipulating the... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21341 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21343 │ │ │ │ XStream: arbitrary file deletion on the local host via │
│ │ │ │ │ │ crafted input stream... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21343 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21348 │ │ │ │ XStream: ReDoS vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21348 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21349 │ │ │ │ XStream: SSRF can be activated unmarshalling with XStream to │
│ │ │ │ │ │ access data streams... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21349 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-29505 │ │ │ 1.4.17 │ XStream: remote command execution attack by manipulating the │
│ │ │ │ │ │ processed input stream │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-29505 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39139 │ │ │ 1.4.18 │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of Xalan xsltc.trax.TemplatesImpl │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39139 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39141 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.xml.internal.ws.client.sei.* │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39141 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39144 │ │ │ │ Arbitrary code execution via unsafe deserialization of │
│ │ │ │ │ │ sun.tracing.* │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39144 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39145 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.jndi.ldap.LdapBindingEnumeration │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39145 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39146 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of javax.swing.UIDefaults$ProxyLazyValue │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39146 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39147 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.jndi.ldap.LdapSearchEnumeration │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39147 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39148 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.jndi.toolkit.dir.ContextEnumerator │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39148 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39149 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.corba.* │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39149 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39150 │ │ │ │ xstream: Server-side request forgery (SSRF) via unsafe │
│ │ │ │ │ │ deserialization of com.sun.xml.internal.ws.client.sei.* │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39150 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39151 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.jndi.ldap.LdapBindingEnumeration │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39151 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39152 │ │ │ │ xstream: Server-side request forgery (SSRF) via unsafe │
│ │ │ │ │ │ deserialization of │
│ │ │ │ │ │ jdk.nashorn.internal.runtime.Source$URLData │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39152 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39153 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of Xalan xsltc.trax.TemplatesImpl │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39153 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39154 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of javax.swing.UIDefaults$ProxyLazyValue │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39154 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-43859 │ │ │ 1.4.19 │ Injecting highly recursive collections or maps can cause a │
│ │ │ │ │ │ DoS │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-43859 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-40151 │ │ │ │ Xstream to serialise XML data was vulnerable to Denial of │
│ │ │ │ │ │ Service attacks... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-40151 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-40152 │ │ │ │ woodstox to serialise XML data was vulnerable to Denial of │
│ │ │ │ │ │ Service attacks... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-40152 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41966 │ │ │ 1.4.20 │ Denial of Service by injecting recursive collections or maps │
│ │ │ │ │ │ based on element's... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41966 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-26259 │ MEDIUM │ │ 1.4.15 │ XStream: arbitrary file deletion on the local host when │
│ │ │ │ │ │ unmarshalling │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26259 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39140 │ │ │ 1.4.18 │ xstream: Infinite loop DoS via unsafe deserialization of │
│ │ │ │ │ │ sun.reflect.annotation.AnnotationInvocationHandler │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39140 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ GHSA-3mq5-fq9h-gj7j │ UNKNOWN │ │ │ Denial of Service due to parser crash │
│ │ │ │ │ │ https://github.com/advisories/GHSA-3mq5-fq9h-gj7j │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ io.undertow:undertow-core │ CVE-2022-1259 │ HIGH │ 2.2.18.Final │ │ undertow: potential security issue in flow control over │
│ │ │ │ │ │ HTTP/2 may lead to... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1259 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2053 │ │ │ 2.2.19 │ undertow: Large AJP request may cause DoS │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2053 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2764 │ MEDIUM │ │ │ Undertow: DoS can be achieved as Undertow server waits for │
│ │ │ │ │ │ the LAST_CHUNK... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2764 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.hsqldb:hsqldb │ CVE-2022-41853 │ CRITICAL │ 2.5.2 │ 2.7.1 │ Untrusted input may lead to RCE attack │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41853 │
├─────────────────────────────────────────────────────────────┼─────────────────────┤ ├───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot-actuator-autoconfigure │ CVE-2023-20873 │ │ 2.7.1 │ 2.7.11, 3.0.6 │ Spring Boot Security Bypass with Wildcard Pattern Matching │
│ │ │ │ │ │ on Cloud Foundry │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20873 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot-autoconfigure │ CVE-2023-20883 │ HIGH │ │ 2.5.15, 2.6.15, 2.7.12, 3.0.7 │ Spring Boot Welcome Page DoS Vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20883 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-core │ CVE-2023-20862 │ CRITICAL │ 5.7.2 │ 5.7.8, 5.8.3, 6.0.3 │ Spring Security logout not clearing security context │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20862 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-31690 │ HIGH │ │ 5.6.9, 5.7.5 │ Privilege Escalation in spring-security-oauth2-client │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-31690 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-web │ CVE-2022-31692 │ CRITICAL │ │ │ Authorization rules can be bypassed via forward or include │
│ │ │ │ │ │ dispatcher types in... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-31692 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core │ CVE-2023-20861 │ MEDIUM │ 5.3.21 │ 5.3.26, 6.0.7, 5.2.23.RELEASE │ Spring Expression DoS Vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20861 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-20863 │ │ │ 5.3.27, 6.0.8, 5.2.24.RELEASE │ Spring Expression DoS Vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20863 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web │ CVE-2016-1000027 │ CRITICAL │ │ 6.0.0 │ spring: HttpInvokerServiceExporter readRemoteInvocation │
│ │ │ │ │ │ method untrusted java deserialization │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-1000027 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-webmvc │ CVE-2023-20860 │ HIGH │ │ 5.3.26, 6.0.7 │ Security Bypass With Un-Prefixed Double Wildcard Pattern │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20860 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml │ CVE-2022-1471 │ CRITICAL │ 1.30 │ 2.0 │ Constructor Deserialization Remote Code Execution │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1471 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-25857 │ HIGH │ │ 1.31 │ Denial of Service due to missing nested depth limitation for │
│ │ │ │ │ │ collections │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25857 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38749 │ MEDIUM │ │ │ Uncaught exception in │
│ │ │ │ │ │ org.yaml.snakeyaml.composer.Composer.composeSequenceNode │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38749 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38750 │ │ │ │ Uncaught exception in │
│ │ │ │ │ │ org.yaml.snakeyaml.constructor.BaseConstructor.constructObj- │
│ │ │ │ │ │ ect │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38750 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38751 │ │ │ │ Uncaught exception in │
│ │ │ │ │ │ java.base/java.util.regex.Pattern$Ques.match │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38751 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38752 │ │ │ 1.32 │ Uncaught exception in java.base/java.util.ArrayList.hashCode │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38752 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41854 │ │ │ │ DoS via stack overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41854 │
└─────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴───────────────────────────────┴──────────────────────────────────────────────────────────────┘
The value of the user session cookie spoof_auth
is hashed as follows
admin
=> nimda
This method can easily be reverse engineered and spoofed allowing bad actors to spoof user sessions. I suggest using bcrypt
and a salting the string to resolve this issue.
src/main/resources/lessons/employees.xml
has hardcoded unencrypted personal data stored in git
High
No csrf handling for the form
cross site request forgery :P
Password seems to be hard coded and would be visible. Code would need either scramble it or encrypt any password sent out to auth service.
/workspaces/codetocloud-workshop/src/main/java/org/owasp/webgoat/container/users/UserForm.java Code looks to have the password as plain text
Cookies would have text visible as plain text.
Any new user and existing user signing in.
saw it at the speakers screen :P
On https://github.com/sonatype-nexus-community/codetocloud-workshop/blob/main/.github/workflows/build.yml (and other workflows).
Unsanitized strings could lead to arbitrary code execution on malicious definitions and/or configurations.
Hardcoded username/password in lessons/insecurelogin/InsecureLoginTask.java@ln36
N/A
N/A
Insecure login
The AccountVerifyHelper.java, specifically, the "verifyAccount" method is subject to a bypass.
Provided the user submits the same number of questions in the hashset and the key is different than the keys in the hashset, the method will return true.
An attacker will be able to bypass authentication.
The use of org.hsqldb : hsqldb : 2.5.2's java.sql.Statement or java.sql.PreparedStatement can allow remote code execution.
org.hsqldb : hsqldb : 2.5.2
/workspaces/codetocloud-workshop/.github/workflows/iq-tests.yml
Plain text password in SolutionConstants.java
TODO says to randomly generate
WebSecurityConfig.java
uses org.springframework.security.crypto.password.NoOpPasswordEncoder
which is considered insecure and only exists for testing purposes where working with plaintext passwords may be useful.
Complete instructions, including specific configuration details, to reproduce the vulnerability.
An attacker could access all user data if passwords are leaked
The application is not currently vulnerable to this issue because it does not use vulnerable functions from these core libraries, however the libraries should be upgraded for future safety anyway.
The vulnerability exists because Guava creates temporary files in a public location with no restrictions on some file systems, allowing an attacker to access files which may contain private data.
None, based on vulnerability report
None at the moment
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
XStream does not provide security checks when creating Java objects. When untrusted data is processed, an attacker can provide crafted data that allows arbitrary code execution resulting in access to the host system that is only limited by the privileges of the running application.
The application is vulnerable by using this component. Issue will result when built as is without upgrading the dependency
Root Cause__
xstream-1.4.5.jarcom/thoughtworks/xstream/XStream.class(, 1.4.7)
xstream-1.4.5.jarcom/thoughtworks/xstream/converters/reflection/ReflectionConverter.class(, 1.4.7)
Will impact the server where code is ran.
Employee information potentially put into the resources. Most likely for testing but in case it wasn't.
Location: /workspaces/codetocloud-workshop/src/main/resources/lessons/employees.xml
Visible file passed to client.
Any employee of the company who's data is leaked.
LogBleedingTask is logging an (admin) password
QuestionAssignment.java contains hardcoded question answers
/workspaces/codetocloud-workshop/config/checkstyle/suppressions.xml
/workspaces/codetocloud-workshop/config/dependency-check/project-suppression.xml
Class FileServer could possibly save a malicious file
Perhaps I am misreading due to being unfamiliar with Java. But it looks like the security policy for the request config is doing permit all as a default. Probably not a good idea.
Versions are not pinned for the robot tests in robot/README.md. This may result in unintended upgrades and failing tests or even malware infection of developer machines
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.