Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CX Connection_String_Injection @ src/main/java/org/cysecurity/cspf/jvl/controller/Install.java [refs/heads/master] #173

Open
juegge opened this issue Oct 13, 2021 · 7 comments
Open

CX Connection_String_Injection @ src/main/java/org/cysecurity/cspf/jvl/controller/Install.java [refs/heads/master] #173

juegge opened this issue Oct 13, 2021 · 7 comments

Comments

@juegge
Copy link

juegge commented Oct 13, 2021
edited by github-actions bot
Loading

Connection_String_Injection issue exists @ src/main/java/org/cysecurity/cspf/jvl/controller/Install.java in branch refs/heads/master

The application's setup method receives untrusted, user-controlled data, and uses this data to connect to a database using BinaryExpr, at line 121 of src\main\java\org\cysecurity\cspf\jvl\controller\Install.java. This may enable a Connection String Injection attack.
The attacker can inject the connection string via user input, ""dbname"", which is retrieved by the application in the processRequest method, at line 58 of src\main\java\org\cysecurity\cspf\jvl\controller\Install.java.

Severity: High

CWE:99

Vulnerability details and guidance

Checkmarx

Training
Recommended Fix

Lines: 54 58

Code (Line #54):

        dburl = request.getParameter("dburl");

Code (Line #58):

        dbname = request.getParameter("dbname");
@juegge juegge closed this as completed Oct 13, 2021
@juegge juegge reopened this Oct 13, 2021
@juegge
Copy link
Author

juegge commented Oct 13, 2021

Issue still exists.

1 similar comment
@juegge
Copy link
Author

juegge commented Oct 13, 2021

Issue still exists.

@juegge juegge closed this as completed Oct 13, 2021
@juegge
Copy link
Author

juegge commented Feb 16, 2022

Issue still exists.

@juegge juegge reopened this Feb 16, 2022
@juegge juegge closed this as completed Feb 16, 2022
@github-actions github-actions bot reopened this Feb 17, 2022
@github-actions
Copy link

Issue still exists.

3 similar comments
@github-actions
Copy link

Issue still exists.

@github-actions
Copy link

Issue still exists.

@github-actions
Copy link

Issue still exists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@juegge