secure-code-warrior-for-github[bot]
commented
1 year ago Micro-Learning Topic: Denial of service (Detected by phrase)
Matched on "denial of service"
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Vulnerable library (Detected by phrase)
Matched on "Vulnerable Library"
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Try a challenge in Secure Code Warrior
Micro-Learning Topic: External entity injection (Detected by phrase)
Matched on "XXE"
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Try a challenge in Secure Code Warrior
Helpful references
- OWASP XML External Entity (XXE) Processing - OWASP community page with comprehensive information about XML external entity attacks, and links to various OWASP resources to help detect or prevent it.
- MSDN Security Briefs - XML Denial of Service Attacks and Defenses - An MSDN Magazine article that goes into detail on XML entity attacks and how to defend against them.
- OWASP XML External Entity Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing XML external entity flaws in your applications.
CVE-2021-33813 - High Severity Vulnerability
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/jdom/jdom/1.0/jdom-1.0.jar
Dependency Hierarchy: - forms_rt-7.0.3.jar (Root Library) - :x: **jdom-1.0.jar** (Vulnerable Library)
Found in HEAD commit: 1d5d282ecdd7bec32c9d58adb1e9155af4e18bc6
Found in base branch: master
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
Publish Date: 2021-06-16
URL: CVE-2021-33813
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33813
Release Date: 2021-06-16
Fix Resolution: org.apache.servicemix.bundles:org.apache.servicemix.bundles.jdom - 2.0.5_1;org.jdom:jdom2:2.0.6.1
Step up your Open Source Security Game with Mend here