Open 5l1D3R opened 1 year ago
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: a471dbd3-d6ed-44ef-b015-87fdd5720d15
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 344386 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 156 issues.
====================details
-------------------------------------
Found 4 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 14 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:166
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:251
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:316
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:384
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:495
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:506
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
-----------------------------------
Found 90 issues of Medium severity.
-----------------------------------
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:248
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:253
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:175
CWE-502: Deserialization of Untrusted Data: com/veracode/verademo/utils/UserFactory.java:44
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'): com/veracode/verademo/utils/UserFactory.java:96
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: com/veracode/verademo/utils/User.java:103
CWE-259: Use of Hard-coded Password: com/veracode/verademo/utils/Constants.java:1
CWE-259: Use of Hard-coded Password: com/veracode/verademo/utils/Constants.java:14
CWE-601: URL Redirection to Untrusted Site ('Open Redirect'): com/veracode/verademo/controller/UserController.java:82
CWE-601: URL Redirection to Untrusted Site ('Open Redirect'): com/veracode/verademo/controller/UserController.java:95
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'): com/veracode/verademo/controller/UserController.java:173
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:229
CWE-73: External Control of File Name or Path: com/veracode/verademo/controller/UserController.java:230
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:237
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:249
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:255
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): com/veracode/verademo/controller/UserController.java:256
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): com/veracode/verademo/controller/UserController.java:263
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:385
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection'): com/veracode/verademo/controller/UserController.java:433
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:493
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:504
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'): com/veracode/verademo/controller/UserController.java:631
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:658
CWE-73: External Control of File Name or Path: com/veracode/verademo/controller/UserController.java:660
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:694
CWE-73: External Control of File Name or Path: com/veracode/verademo/controller/UserController.java:699
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:708
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'): com/veracode/verademo/controller/UserController.java:711
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'): com/veracode/verademo/controller/UserController.java:713
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:803
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:859
CWE-73: External Control of File Name or Path: com/veracode/verademo/controller/UserController.java:863
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: com/veracode/verademo/controller/UserController.java:961
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/ResetController.java:109
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:128
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/ResetController.java:132
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:153
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:156
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/ResetController.java:159
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:179
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:183
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:187
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:191
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/ResetController.java:193
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/ResetController.java:194
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): com/veracode/verademo/controller/BlabController.java:204
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/BlabController.java:558
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/BlabController.java:559
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'): com/veracode/verademo/controller/BlabController.java:571
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/RemoveAccountCommand.java:39
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/RemoveAccountCommand.java:46
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/RemoveAccountCommand.java:50
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/ListenCommand.java:39
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/ListenCommand.java:46
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/IgnoreCommand.java:39
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/IgnoreCommand.java:46
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/tools.jsp:65
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/tools.jsp:68
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/tools.jsp:78
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/register.jsp:60
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/register.jsp:87
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/register-finish.jsp:60
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/register-finish.jsp:83
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:63
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:91
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:102
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:111
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:120
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:161
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:164
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:201
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/login.jsp:62
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/login.jsp:81
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/login.jsp:88
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:59
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:70
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:94
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:97
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:99
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:142
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blabbers.jsp:66
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blabbers.jsp:101
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blabbers.jsp:104
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:57
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:61
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:69
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:105
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:109
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:111
--------------------------------
Found 30 issues of Low severity.
--------------------------------
CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute: com/veracode/verademo/utils/UserFactory.java:96
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:157
CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute: com/veracode/verademo/controller/UserController.java:173
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:246
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:312
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:368
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:470
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:573
CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute: com/veracode/verademo/controller/UserController.java:631
CWE-201: Information Exposure Through Sent Data: com/veracode/verademo/controller/UserController.java:711
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:769
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:829
CWE-209: Information Exposure Through an Error Message: com/veracode/verademo/controller/UserController.java:949
CWE-201: Information Exposure Through Sent Data: com/veracode/verademo/controller/UserController.java:949
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/ResetController.java:101
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/ResetController.java:269
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:69
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:182
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:232
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:307
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:400
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:483
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:568
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/register.jsp:60
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/register-finish.jsp:60
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/profile.jsp:63
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/login.jsp:62
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/feed.jsp:70
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/blabbers.jsp:66
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/blab.jsp:69
---------------------------------------------
Skipping 18 issues of Informational severity.
---------------------------------------------
==========================
FAILURE: Found 138 issues!
==========================
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: e7ccabac-3a5b-40cf-9623-17ece91c7c72
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 344386 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 156 issues.
====================details
-------------------------------------
Found 4 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 14 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:166
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:251
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:316
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:384
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:495
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:506
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
--------------------------------------
Skipping 90 issues of Medium severity.
--------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 18 issues of Informational severity.
---------------------------------------------
=========================
FAILURE: Found 18 issues!
=========================
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 20404650-943f-4d21-83f8-62feb5897873
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 344386 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 156 issues.
====================details
-------------------------------------
Found 4 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 14 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:166
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:251
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:316
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:384
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:495
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:506
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
--------------------------------------
Skipping 90 issues of Medium severity.
--------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 18 issues of Informational severity.
---------------------------------------------
=========================
FAILURE: Found 18 issues!
=========================
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 504c1434-895e-4d6f-a0d7-ed70818032db
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 345688 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 157 issues.
====================details
-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:36
---------------------------------
Found 14 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:166
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:251
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:316
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:384
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:495
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:506
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
--------------------------------------
Skipping 90 issues of Medium severity.
--------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 18 issues of Informational severity.
---------------------------------------------
=========================
FAILURE: Found 19 issues!
=========================
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: d9859573-f578-44c6-8ab0-515105774eed
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 345688 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 157 issues.
====================details
-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:36
---------------------------------
Found 14 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:166
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:251
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:316
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:384
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:495
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:506
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
-----------------------------------
Found 90 issues of Medium severity.
-----------------------------------
CWE-502: Deserialization of Untrusted Data: com/veracode/verademo/utils/UserFactory.java:44
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'): com/veracode/verademo/utils/UserFactory.java:96
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: com/veracode/verademo/utils/User.java:103
CWE-259: Use of Hard-coded Password: com/veracode/verademo/utils/Constants.java:1
CWE-259: Use of Hard-coded Password: com/veracode/verademo/utils/Constants.java:14
CWE-601: URL Redirection to Untrusted Site ('Open Redirect'): com/veracode/verademo/controller/UserController.java:82
CWE-601: URL Redirection to Untrusted Site ('Open Redirect'): com/veracode/verademo/controller/UserController.java:95
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'): com/veracode/verademo/controller/UserController.java:173
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:229
CWE-73: External Control of File Name or Path: com/veracode/verademo/controller/UserController.java:230
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:237
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:249
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:255
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): com/veracode/verademo/controller/UserController.java:256
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): com/veracode/verademo/controller/UserController.java:263
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:385
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection'): com/veracode/verademo/controller/UserController.java:433
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:493
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:504
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'): com/veracode/verademo/controller/UserController.java:631
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:658
CWE-73: External Control of File Name or Path: com/veracode/verademo/controller/UserController.java:660
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:694
CWE-73: External Control of File Name or Path: com/veracode/verademo/controller/UserController.java:699
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:708
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'): com/veracode/verademo/controller/UserController.java:711
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'): com/veracode/verademo/controller/UserController.java:713
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:803
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/UserController.java:859
CWE-73: External Control of File Name or Path: com/veracode/verademo/controller/UserController.java:863
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: com/veracode/verademo/controller/UserController.java:961
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/ResetController.java:109
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:128
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/ResetController.java:132
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:153
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:156
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/ResetController.java:159
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:179
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:183
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:187
CWE-331: Insufficient Entropy: com/veracode/verademo/controller/ResetController.java:191
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/ResetController.java:193
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/ResetController.java:194
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): com/veracode/verademo/controller/BlabController.java:204
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/BlabController.java:558
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/controller/BlabController.java:559
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'): com/veracode/verademo/controller/BlabController.java:571
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/RemoveAccountCommand.java:39
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/RemoveAccountCommand.java:46
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/RemoveAccountCommand.java:50
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/ListenCommand.java:39
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/ListenCommand.java:46
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/IgnoreCommand.java:39
CWE-117: Improper Output Neutralization for Logs: com/veracode/verademo/commands/IgnoreCommand.java:46
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/tools.jsp:65
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/tools.jsp:68
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/tools.jsp:78
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/register.jsp:60
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/register.jsp:87
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/register-finish.jsp:60
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/register-finish.jsp:83
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:63
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:91
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:102
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:111
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:120
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:161
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:164
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:201
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/login.jsp:65
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/login.jsp:84
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/login.jsp:91
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:59
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:70
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:94
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:97
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:99
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:142
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blabbers.jsp:66
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blabbers.jsp:101
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blabbers.jsp:104
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:57
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:61
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:69
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:105
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:109
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/blab.jsp:111
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:248
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/profile.jsp:253
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): WEB-INF/views/feed.jsp:175
--------------------------------
Found 30 issues of Low severity.
--------------------------------
CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute: com/veracode/verademo/utils/UserFactory.java:96
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:157
CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute: com/veracode/verademo/controller/UserController.java:173
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:246
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:312
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:368
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:470
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:573
CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute: com/veracode/verademo/controller/UserController.java:631
CWE-201: Information Exposure Through Sent Data: com/veracode/verademo/controller/UserController.java:711
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:769
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/UserController.java:829
CWE-209: Information Exposure Through an Error Message: com/veracode/verademo/controller/UserController.java:949
CWE-201: Information Exposure Through Sent Data: com/veracode/verademo/controller/UserController.java:949
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/ResetController.java:101
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/ResetController.java:269
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:69
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:182
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:232
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:307
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:400
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:483
CWE-245: J2EE Bad Practices: Direct Management of Connections: com/veracode/verademo/controller/BlabController.java:568
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/register.jsp:60
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/register-finish.jsp:60
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/profile.jsp:63
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/login.jsp:65
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/feed.jsp:70
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/blabbers.jsp:66
CWE-209: Information Exposure Through an Error Message: WEB-INF/views/blab.jsp:69
---------------------------------------------
Skipping 18 issues of Informational severity.
---------------------------------------------
==========================
FAILURE: Found 139 issues!
==========================
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 4ee188a7-f751-4bf5-9a55-3f5da57e07f1
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 345688 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 157 issues.
====================details
-------------------------------------
Found 1 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:36
**
Total flaws found: 157, New flaws found: 1 as compared to baseline
**
========================
FAILURE: Found 1 issues!
========================
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: e040e2c2-afdf-4a8d-9be6-875fd3888406
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 345688 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 157 issues.
====================details
-------------------------------------
Found 1 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:36
**
Total flaws found: 157, New flaws found: 1 as compared to baseline
**
========================
FAILURE: Found 1 issues!
========================
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: a13550c5-dd6d-4118-87a2-64c4670ba0bb
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 345688 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 157 issues.
====================details
-------------------------------------
Found 1 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:36
**
Total flaws found: 157, New flaws found: 1 as compared to baseline
**
========================
FAILURE: Found 1 issues!
========================
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 5d87778c-9fe8-4ade-a22d-cc3f89f05c17
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 345688 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 157 issues.
====================details
-------------------------------------
Found 1 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:36
**
Total flaws found: 157, New flaws found: 1 as compared to baseline
**
========================
FAILURE: Found 1 issues!
========================
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 114557a6-b397-46cc-879b-02faaf28f3d0
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 345688 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 157 issues.
====================details
-------------------------------------
Found 1 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:36
**
Total flaws found: 157, New flaws found: 1 as compared to baseline
**
========================
FAILURE: Found 1 issues!
========================
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 86009508-1b9d-4651-b317-7720f96e1159
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 345688 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 157 issues.
====================details
-------------------------------------
Found 1 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:36
**
Total flaws found: 157, New flaws found: 1 as compared to baseline
**
========================
FAILURE: Found 1 issues!
========================
Veraocde SCA Scan failed with exit code 0
Veracode SCA agent scanning engine ready Running the Maven scanner Scanning completed Found 5299 lines of code Processing results... Processing results complete Summary Report Scan ID d5b9824c-4760-44ac-ab66-a4e6600d37b0 Scan Date & Time Apr 18 2023 10:14AM UTC Account type ENTERPRISE Scan engine 3.8.24 (latest 3.8.21) Analysis time 14 seconds User runner Project /home/runner/work/Github-actions/Github-actions Package Manager(s) Maven Open-Source Libraries Total Libraries 50 Direct Libraries 23 Transitive Libraries 27 Vulnerable Libraries 19 Third Party Code 99% Vulnerable Methods 2 vulnerable methods can be reached via the code's call graph Call Source Method Name Library xmlfilter.filterXMLSignature [line 26] CanonicalizerSpi.engineCanonicalize([B) Apache XML Security for Java : 1.5.1 xmlfilter.main [line 14] BCrypt.crypt_raw([B[BI) jBCrypt : 0.3m xmlfilter.main [line 16] BCrypt.crypt_raw([B[BI) jBCrypt : 0.3m Security With Vulnerable Methods 2 High Risk Vulnerabilities 10 Medium Risk Vulnerabilities 32 Low Risk Vulnerabilities 5 Vulnerabilities - Public Data CVE-2016-1000027 High Risk Remote Code Execution (RCE) Spring Web 4.3.10.RELEASE CVE-2017-1000487 High Risk Command Line Shell Injection Plexus Common Utilities 1.0.4 CVE-2015-6420 High Risk Arbitrary Code Execution Apache Commons Collections 4.0 CVE-2015-4852 High Risk Potential Remote Code Execution Via Java Object Deserialization Apache Commons Collections 4.0 CVE-2015-0254 High Risk XML External Entity (XXE) Through An XSLT Extension jstl 1.2 CVE-2023-24998 High Risk Denial Of Service (DoS) Apache Commons FileUpload 1.3.2 CVE-2016-1000031 High Risk Remote Code Execution Via Serialization Apache Commons FileUpload 1.3.2 CVE-2022-22965 High Risk Remote Code Execution (RCE) Spring Beans 4.3.10.RELEASE CVE-2022-23307 High Risk Remote Code Execution (RCE) Apache Log4j 1.2.17 CVE-2019-17571 High Risk Arbitrary Code Execution Apache Log4j 1.2.17 CVE-2018-15756 Medium Risk Denial Of Service (DoS) Spring Web 4.3.10.RELEASE CVE-2018-11039 Medium Risk Cross-Site Tracing (XST) Spring Web 4.3.10.RELEASE CVE-2022-22950 Medium Risk Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE CVE-2023-20861 Medium Risk Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE CVE-2017-3586 Medium Risk Usable Expired Certificates mysql-connector-java 5.1.35 CVE-2022-21363 Medium Risk Privilege Escalation mysql-connector-java 5.1.35 CVE-2017-3523 Medium Risk Improper Automatic Deserialization mysql-connector-java 5.1.35 CVE-2022-22968 Medium Risk Binding Rules Bypass Spring Context 4.3.10.RELEASE CVE-2018-1002200 Medium Risk Arbitrary File Write Plexus Archiver Component 1.0-alpha-3 CVE-2012-6153 Medium Risk Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers HttpClient 3.1 CVE-2012-5783 Medium Risk Man In The Middle (MitM) HttpClient 3.1 CVE-2015-0886 Medium Risk Information Disclosure Of Password Hashes Through Crypt_raw jBCrypt 0.3m CVE-2021-22096 Medium Risk Log Injection Spring Core 4.3.10.RELEASE CVE-2018-1272 Medium Risk Privilege Escalation Through Multipart Content Pollution Spring Core 4.3.10.RELEASE CVE-2017-2646 Medium Risk Denial Of Service (DoS) Keycloak SAML Core 1.8.1.Final CVE-2017-2582 Medium Risk Information Disclosure Keycloak SAML Core 1.8.1.Final CVE-2021-29425 Medium Risk Directory Traversal Apache Commons IO 2.4 CVE-2021-40690 Medium Risk Bypass Of Secure Validation Apache XML Security for Java 1.5.1 CVE-2013-4517 Medium Risk Denial Of Service (DoS) Memory Consumption Apache XML Security for Java 1.5.1 CVE-2013-2172 Medium Risk Spoofable XML Signature Apache XML Security for Java 1.5.1 CVE-2015-2944 Medium Risk Multiple Cross-site Scripting (XSS) Vulnerabilities Apache Sling API 2.0.2-incubator CVE-2022-23302 Medium Risk Deserialisation Of Untrusted Object Apache Log4j 1.2.17 CVE-2021-4104 Medium Risk Deserialisation Of Untrusted Object Apache Log4j 1.2.17 CVE-2022-23305 Medium Risk SQL Injection Apache Log4j 1.2.17 CVE-2020-9493 Medium Risk Remote Code Execution (RCE) Apache Log4j 1.2.17 CVE-2023-26464 Medium Risk Denial Of Service (DoS) Apache Log4j 1.2.17 CVE-2018-15756 Medium Risk Denial Of Service (DoS) Spring Web MVC 4.3.10.RELEASE CVE-2018-1271 Medium Risk Directory Traversal Spring Web MVC 4.3.10.RELEASE CVE-2018-11040 Medium Risk Cross-Domain Request Through Insecure JSONP Defaults Spring Web MVC 4.3.10.RELEASE CVE-2018-1199 Medium Risk Security Constraint Bypass Spring Web MVC 4.3.10.RELEASE CVE-2020-5421 Low Risk Reflected File Download (RFD) Attack Spring Web 4.3.10.RELEASE CVE-2020-2933 Low Risk Denial Of Service (DoS) mysql-connector-java 5.1.35 CVE-2019-2692 Low Risk Authorization Bypass mysql-connector-java 5.1.35 CVE-2017-3589 Low Risk Database Overwrite mysql-connector-java 5.1.35 CVE-2022-22970 Low Risk Denial Of Service (DoS) Spring Beans 4.3.10.RELEASE Vulnerabilities - Premium Data NO-CVE Medium Risk SAML Assertion Insertion Keycloak SAML Core 1.8.1.Final NO-CVE Medium Risk Remote Code Execution (RCE) Via Java Object Deserialization Apache Commons IO 2.4 Licenses Unique Library Licenses 14 Libraries Using GPL 6 Libraries With High Risk License 6 Libraries With Medium Risk License 13 Libraries With Low Risk License 44 Libraries With Multiple Licenses 8 Libraries With Unassessable License 0 Libraries With Unrecognizable License 2 Issues Issue ID Issue Type Severity Description Library Name & Version In Use 152698953 Vulnerability 7.5 CVE-2016-1000031: Remote Code Execution Via Serialization Apache Commons FileUpload 1.3.2 152698954 Vulnerability 5.8 CVE-2012-5783: Man In The Middle (MitM) HttpClient 3.1 152698955 Vulnerability 4.3 CVE-2012-6153: Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers HttpClient 3.1 152698956 Vulnerability 5.8 CVE-2021-29425: Directory Traversal Apache Commons IO 2.4 152698957 Vulnerability 5.1 NO-CVE: Remote Code Execution (RCE) Via Java Object Deserialization Apache Commons IO 2.4 152698958 Vulnerability 7.5 CVE-2015-0254: XML External Entity (XXE) Through An XSLT Extension jstl 1.2 152698959 Vulnerability 9.0 CVE-2022-23307: Remote Code Execution (RCE) Apache Log4j 1.2.17 152698960 Vulnerability 7.5 CVE-2019-17571: Arbitrary Code Execution Apache Log4j 1.2.17 152698961 Vulnerability 6.8 CVE-2020-9493: Remote Code Execution (RCE) Apache Log4j 1.2.17 152698962 Vulnerability 6.8 CVE-2022-23305: SQL Injection Apache Log4j 1.2.17 152698963 Vulnerability 6.0 CVE-2022-23302: Deserialisation Of Untrusted Object Apache Log4j 1.2.17 152698964 Vulnerability 6.0 CVE-2021-4104: Deserialisation Of Untrusted Object Apache Log4j 1.2.17 152698965 Vulnerability 6.0 CVE-2022-21363: Privilege Escalation mysql-connector-java 5.1.35 152698966 Vulnerability 6.0 CVE-2017-3523: Improper Automatic Deserialization mysql-connector-java 5.1.35 152698967 Vulnerability 5.5 CVE-2017-3586: Usable Expired Certificates mysql-connector-java 5.1.35 152698968 Vulnerability 3.5 CVE-2019-2692: Authorization Bypass mysql-connector-java 5.1.35 152698969 Vulnerability 3.5 CVE-2020-2933: Denial Of Service (DoS) mysql-connector-java 5.1.35 152698970 Vulnerability 2.1 CVE-2017-3589: Database Overwrite mysql-connector-java 5.1.35 152698971 Vulnerability 7.5 CVE-2015-6420: Arbitrary Code Execution Apache Commons Collections 4.0 152698972 Vulnerability 7.5 CVE-2015-4852: Potential Remote Code Execution Via Java Object Deserialization Apache Commons Collections 4.0 152698973 Vulnerability 5.0 CVE-2021-40690: Bypass Of Secure Validation Apache XML Security for Java 1.5.1 152698974 Vulnerability 4.3 CVE-2013-4517: Denial of Service (DoS) Memory Consumption Apache XML Security for Java 1.5.1 152698975 Vulnerability 4.3 CVE-2013-2172: Spoofable XML Signature Apache XML Security for Java 1.5.1 152698976 Vulnerability 4.3 CVE-2015-2944: Multiple Cross-site Scripting (XSS) Vulnerabilities Apache Sling API 2.0.2-incubator 152698977 Vulnerability 4.3 CVE-2018-1002200: Arbitrary File Write Plexus Archiver Component 1.0-alpha-3 152698978 Vulnerability 7.5 CVE-2017-1000487: Command Line Shell Injection Plexus Common Utilities 1.0.4 152698979 Vulnerability 6.4 NO-CVE: SAML Assertion Insertion Keycloak SAML Core 1.8.1.Final 152698980 Vulnerability 5.0 CVE-2017-2646: Denial Of Service (DoS) Keycloak SAML Core 1.8.1.Final 152698981 Vulnerability 4.0 CVE-2017-2582: Information Disclosure Keycloak SAML Core 1.8.1.Final 152698982 Vulnerability 5.0 CVE-2015-0886: Information Disclosure Of Password Hashes Through Crypt_raw jBCrypt 0.3m 152698983 Vulnerability 7.5 CVE-2022-22965: Remote Code Execution (RCE) Spring Beans 4.3.10.RELEASE 152698984 Vulnerability 3.5 CVE-2022-22970: Denial Of Service (DoS) Spring Beans 4.3.10.RELEASE 152701835 Vulnerability 5.0 CVE-2022-22968: Binding Rules Bypass Spring Context 4.3.10.RELEASE 152701836 Vulnerability 6.0 CVE-2018-1272: Privilege Escalation Through Multipart Content Pollution Spring Core 4.3.10.RELEASE 152701837 Vulnerability 4.0 CVE-2021-22096: Log Injection Spring Core 4.3.10.RELEASE 152701838 Vulnerability 4.0 CVE-2022-22950: Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE 152701839 Vulnerability 5.0 CVE-2018-15756: Denial Of Service (DoS) Spring Web 4.3.10.RELEASE 152701840 Vulnerability 4.3 CVE-2018-11039: Cross-Site Tracing (XST) Spring Web 4.3.10.RELEASE 152701841 Vulnerability 3.6 CVE-2020-5421: Reflected File Download (RFD) Attack Spring Web 4.3.10.RELEASE 152701842 Vulnerability 5.0 CVE-2018-15756: Denial Of Service (DoS) Spring Web MVC 4.3.10.RELEASE 152701843 Vulnerability 5.0 CVE-2018-1199: Security Constraint Bypass Spring Web MVC 4.3.10.RELEASE 152701844 Vulnerability 4.3 CVE-2018-11040: Cross-Domain Request Through Insecure JSONP Defaults Spring Web MVC 4.3.10.RELEASE 152701845 Vulnerability 4.3 CVE-2018-1271: Directory Traversal Spring Web MVC 4.3.10.RELEASE 152701849 Outdated Library 3.0 Latest version at scan: 2.11.0 Apache Commons IO 2.4 152701850 Outdated Library 3.0 Latest version at scan: 1.5.0-b01 JavaMail API (compat) 1.4.7 152701851 Outdated Library 3.0 Latest version at scan: 4.0.1 Java Servlet API 3.0.1 152701852 Outdated Library 3.0 Latest version at scan: 2.4.0-b180830.0359 jaxb-api 2.3.0 152701854 Outdated Library 3.0 Latest version at scan: 4.4 Apache Commons Collections 4.0 152701855 Outdated Library 3.0 Latest version at scan: 2.4.2 Apache Sling Maven Plugin Relocation 2.0.4-incubator 152701857 Outdated Library 3.0 Latest version at scan: 0.4 jBCrypt 0.3m 152701858 Outdated Library 3.0 Latest version at scan: 1.2.3 JSP Encoder 1.2.1 152701859 Outdated Library 3.0 Latest version at scan: 1.2.3 Java Encoder 1.2.1 152701867 License 9.0 Library has High-Risk License Old JAXB Core 2.3.0 152701868 License 9.0 Library has High-Risk License Old JAXB Runtime 2.3.0 152701869 License 9.0 Library has High-Risk License JavaMail API (compat) 1.4.7 152701870 License 9.0 Library has High-Risk License jstl 1.2 152701871 License 9.0 Library has High-Risk License jaxb-api 2.3.0 152701872 License 9.0 Library has High-Risk License mysql-connector-java 5.1.35 157309416 Vulnerability 7.5 CVE-2016-1000027: Remote Code Execution (RCE) Spring Web 4.3.10.RELEASE 168650744 Vulnerability 7.8 CVE-2023-24998: Denial Of Service (DoS) Apache Commons FileUpload 1.3.2 172224398 Vulnerability 5.0 CVE-2023-26464: Denial Of Service (DoS) Apache Log4j 1.2.17 176123273 Vulnerability 6.8 CVE-2023-20861: Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE 179848810 Outdated Library 3.0 Latest version at scan: 4.0.2 Old JAXB Core 2.3.0 179848811 Outdated Library 3.0 Latest version at scan: 4.0.2 Old JAXB Runtime 2.3.0 179848812 Outdated Library 3.0 Latest version at scan: 1.5 Apache Commons FileUpload 1.3.2 179848813 Outdated Library 3.0 Latest version at scan: 8.0.32 mysql-connector-java 5.1.35 179848814 Outdated Library 3.0 Latest version at scan: 21.0.2 Keycloak SAML Core 1.8.1.Final 179848815 Outdated Library 3.0 Latest version at scan: 2.0.7 SLF4J LOG4J-12 Binding relocated 1.7.7 179848816 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring Context 4.3.10.RELEASE 179848817 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring Core 4.3.10.RELEASE 179848818 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring JDBC 4.3.10.RELEASE 179848819 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring Transaction 4.3.10.RELEASE 179848820 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring Web 4.3.10.RELEASE 179848821 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring Web MVC 4.3.10.RELEASE Full Report Details https://sca.analysiscenter.veracode.com/teams/gZZUdoD/scans/48955420
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 28a5f7d1-cdd5-48fe-b2d1-bd794ad50e59
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 345688 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 157 issues.
====================details
-------------------------------------
Found 1 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:36
**
Total flaws found: 157, New flaws found: 1 as compared to baseline
**
========================
FAILURE: Found 1 issues!
========================
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: f21de874-2532-448a-9853-7f2d7a0bf289
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 345688 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 157 issues.
====================details
-------------------------------------
Found 1 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:36
**
Total flaws found: 157, New flaws found: 1 as compared to baseline
**
========================
FAILURE: Found 1 issues!
========================
Veraocde SCA Scan failed with exit code 0
Veracode SCA agent scanning engine ready Running the Maven scanner Scanning completed Found 5299 lines of code Processing results... Processing results complete Summary Report Scan ID 638c2f46-772e-4ef2-a355-ddb571195b18 Scan Date & Time Apr 19 2023 08:28AM UTC Account type ENTERPRISE Scan engine 3.8.25 (latest 3.8.25) Analysis time 16 seconds User runner Project /home/runner/work/Github-actions/Github-actions Package Manager(s) Maven Open-Source Libraries Total Libraries 50 Direct Libraries 23 Transitive Libraries 27 Vulnerable Libraries 19 Third Party Code 99% Vulnerable Methods 2 vulnerable methods can be reached via the code's call graph Call Source Method Name Library xmlfilter.filterXMLSignature [line 26] CanonicalizerSpi.engineCanonicalize([B) Apache XML Security for Java : 1.5.1 xmlfilter.main [line 14] BCrypt.crypt_raw([B[BI) jBCrypt : 0.3m xmlfilter.main [line 16] BCrypt.crypt_raw([B[BI) jBCrypt : 0.3m Security With Vulnerable Methods 2 High Risk Vulnerabilities 10 Medium Risk Vulnerabilities 33 Low Risk Vulnerabilities 5 Vulnerabilities - Public Data CVE-2016-1000027 High Risk Remote Code Execution (RCE) Spring Web 4.3.10.RELEASE CVE-2017-1000487 High Risk Command Line Shell Injection Plexus Common Utilities 1.0.4 CVE-2015-6420 High Risk Arbitrary Code Execution Apache Commons Collections 4.0 CVE-2015-4852 High Risk Potential Remote Code Execution Via Java Object Deserialization Apache Commons Collections 4.0 CVE-2015-0254 High Risk XML External Entity (XXE) Through An XSLT Extension jstl 1.2 CVE-2023-24998 High Risk Denial Of Service (DoS) Apache Commons FileUpload 1.3.2 CVE-2016-1000031 High Risk Remote Code Execution Via Serialization Apache Commons FileUpload 1.3.2 CVE-2022-22965 High Risk Remote Code Execution (RCE) Spring Beans 4.3.10.RELEASE CVE-2022-23307 High Risk Remote Code Execution (RCE) Apache Log4j 1.2.17 CVE-2019-17571 High Risk Arbitrary Code Execution Apache Log4j 1.2.17 CVE-2018-15756 Medium Risk Denial Of Service (DoS) Spring Web 4.3.10.RELEASE CVE-2018-11039 Medium Risk Cross-Site Tracing (XST) Spring Web 4.3.10.RELEASE CVE-2023-20863 Medium Risk Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE CVE-2022-22950 Medium Risk Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE CVE-2023-20861 Medium Risk Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE CVE-2017-3586 Medium Risk Usable Expired Certificates mysql-connector-java 5.1.35 CVE-2022-21363 Medium Risk Privilege Escalation mysql-connector-java 5.1.35 CVE-2017-3523 Medium Risk Improper Automatic Deserialization mysql-connector-java 5.1.35 CVE-2022-22968 Medium Risk Binding Rules Bypass Spring Context 4.3.10.RELEASE CVE-2018-1002200 Medium Risk Arbitrary File Write Plexus Archiver Component 1.0-alpha-3 CVE-2012-6153 Medium Risk Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers HttpClient 3.1 CVE-2012-5783 Medium Risk Man In The Middle (MitM) HttpClient 3.1 CVE-2015-0886 Medium Risk Information Disclosure Of Password Hashes Through Crypt_raw jBCrypt 0.3m CVE-2021-22096 Medium Risk Log Injection Spring Core 4.3.10.RELEASE CVE-2018-1272 Medium Risk Privilege Escalation Through Multipart Content Pollution Spring Core 4.3.10.RELEASE CVE-2017-2646 Medium Risk Denial Of Service (DoS) Keycloak SAML Core 1.8.1.Final CVE-2017-2582 Medium Risk Information Disclosure Keycloak SAML Core 1.8.1.Final CVE-2021-29425 Medium Risk Directory Traversal Apache Commons IO 2.4 CVE-2021-40690 Medium Risk Bypass Of Secure Validation Apache XML Security for Java 1.5.1 CVE-2013-4517 Medium Risk Denial Of Service (DoS) Memory Consumption Apache XML Security for Java 1.5.1 CVE-2013-2172 Medium Risk Spoofable XML Signature Apache XML Security for Java 1.5.1 CVE-2015-2944 Medium Risk Multiple Cross-site Scripting (XSS) Vulnerabilities Apache Sling API 2.0.2-incubator CVE-2022-23302 Medium Risk Deserialisation Of Untrusted Object Apache Log4j 1.2.17 CVE-2021-4104 Medium Risk Deserialisation Of Untrusted Object Apache Log4j 1.2.17 CVE-2022-23305 Medium Risk SQL Injection Apache Log4j 1.2.17 CVE-2020-9493 Medium Risk Remote Code Execution (RCE) Apache Log4j 1.2.17 CVE-2023-26464 Medium Risk Denial Of Service (DoS) Apache Log4j 1.2.17 CVE-2018-15756 Medium Risk Denial Of Service (DoS) Spring Web MVC 4.3.10.RELEASE CVE-2018-1271 Medium Risk Directory Traversal Spring Web MVC 4.3.10.RELEASE CVE-2018-11040 Medium Risk Cross-Domain Request Through Insecure JSONP Defaults Spring Web MVC 4.3.10.RELEASE CVE-2018-1199 Medium Risk Security Constraint Bypass Spring Web MVC 4.3.10.RELEASE CVE-2020-5421 Low Risk Reflected File Download (RFD) Attack Spring Web 4.3.10.RELEASE CVE-2020-2933 Low Risk Denial Of Service (DoS) mysql-connector-java 5.1.35 CVE-2019-2692 Low Risk Authorization Bypass mysql-connector-java 5.1.35 CVE-2017-3589 Low Risk Database Overwrite mysql-connector-java 5.1.35 CVE-2022-22970 Low Risk Denial Of Service (DoS) Spring Beans 4.3.10.RELEASE Vulnerabilities - Premium Data NO-CVE Medium Risk SAML Assertion Insertion Keycloak SAML Core 1.8.1.Final NO-CVE Medium Risk Remote Code Execution (RCE) Via Java Object Deserialization Apache Commons IO 2.4 Licenses Unique Library Licenses 14 Libraries Using GPL 6 Libraries With High Risk License 6 Libraries With Medium Risk License 13 Libraries With Low Risk License 44 Libraries With Multiple Licenses 8 Libraries With Unassessable License 0 Libraries With Unrecognizable License 2 Issues Issue ID Issue Type Severity Description Library Name & Version In Use 152698953 Vulnerability 7.5 CVE-2016-1000031: Remote Code Execution Via Serialization Apache Commons FileUpload 1.3.2 152698954 Vulnerability 5.8 CVE-2012-5783: Man In The Middle (MitM) HttpClient 3.1 152698955 Vulnerability 4.3 CVE-2012-6153: Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers HttpClient 3.1 152698956 Vulnerability 5.8 CVE-2021-29425: Directory Traversal Apache Commons IO 2.4 152698957 Vulnerability 5.1 NO-CVE: Remote Code Execution (RCE) Via Java Object Deserialization Apache Commons IO 2.4 152698958 Vulnerability 7.5 CVE-2015-0254: XML External Entity (XXE) Through An XSLT Extension jstl 1.2 152698959 Vulnerability 9.0 CVE-2022-23307: Remote Code Execution (RCE) Apache Log4j 1.2.17 152698960 Vulnerability 7.5 CVE-2019-17571: Arbitrary Code Execution Apache Log4j 1.2.17 152698961 Vulnerability 6.8 CVE-2020-9493: Remote Code Execution (RCE) Apache Log4j 1.2.17 152698962 Vulnerability 6.8 CVE-2022-23305: SQL Injection Apache Log4j 1.2.17 152698963 Vulnerability 6.0 CVE-2022-23302: Deserialisation Of Untrusted Object Apache Log4j 1.2.17 152698964 Vulnerability 6.0 CVE-2021-4104: Deserialisation Of Untrusted Object Apache Log4j 1.2.17 152698965 Vulnerability 6.0 CVE-2022-21363: Privilege Escalation mysql-connector-java 5.1.35 152698966 Vulnerability 6.0 CVE-2017-3523: Improper Automatic Deserialization mysql-connector-java 5.1.35 152698967 Vulnerability 5.5 CVE-2017-3586: Usable Expired Certificates mysql-connector-java 5.1.35 152698968 Vulnerability 3.5 CVE-2019-2692: Authorization Bypass mysql-connector-java 5.1.35 152698969 Vulnerability 3.5 CVE-2020-2933: Denial Of Service (DoS) mysql-connector-java 5.1.35 152698970 Vulnerability 2.1 CVE-2017-3589: Database Overwrite mysql-connector-java 5.1.35 152698971 Vulnerability 7.5 CVE-2015-6420: Arbitrary Code Execution Apache Commons Collections 4.0 152698972 Vulnerability 7.5 CVE-2015-4852: Potential Remote Code Execution Via Java Object Deserialization Apache Commons Collections 4.0 152698973 Vulnerability 5.0 CVE-2021-40690: Bypass Of Secure Validation Apache XML Security for Java 1.5.1 152698974 Vulnerability 4.3 CVE-2013-4517: Denial of Service (DoS) Memory Consumption Apache XML Security for Java 1.5.1 152698975 Vulnerability 4.3 CVE-2013-2172: Spoofable XML Signature Apache XML Security for Java 1.5.1 152698976 Vulnerability 4.3 CVE-2015-2944: Multiple Cross-site Scripting (XSS) Vulnerabilities Apache Sling API 2.0.2-incubator 152698977 Vulnerability 4.3 CVE-2018-1002200: Arbitrary File Write Plexus Archiver Component 1.0-alpha-3 152698978 Vulnerability 7.5 CVE-2017-1000487: Command Line Shell Injection Plexus Common Utilities 1.0.4 152698979 Vulnerability 6.4 NO-CVE: SAML Assertion Insertion Keycloak SAML Core 1.8.1.Final 152698980 Vulnerability 5.0 CVE-2017-2646: Denial Of Service (DoS) Keycloak SAML Core 1.8.1.Final 152698981 Vulnerability 4.0 CVE-2017-2582: Information Disclosure Keycloak SAML Core 1.8.1.Final 152698982 Vulnerability 5.0 CVE-2015-0886: Information Disclosure Of Password Hashes Through Crypt_raw jBCrypt 0.3m 152698983 Vulnerability 7.5 CVE-2022-22965: Remote Code Execution (RCE) Spring Beans 4.3.10.RELEASE 152698984 Vulnerability 3.5 CVE-2022-22970: Denial Of Service (DoS) Spring Beans 4.3.10.RELEASE 152701835 Vulnerability 5.0 CVE-2022-22968: Binding Rules Bypass Spring Context 4.3.10.RELEASE 152701836 Vulnerability 6.0 CVE-2018-1272: Privilege Escalation Through Multipart Content Pollution Spring Core 4.3.10.RELEASE 152701837 Vulnerability 4.0 CVE-2021-22096: Log Injection Spring Core 4.3.10.RELEASE 152701838 Vulnerability 4.0 CVE-2022-22950: Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE 152701839 Vulnerability 5.0 CVE-2018-15756: Denial Of Service (DoS) Spring Web 4.3.10.RELEASE 152701840 Vulnerability 4.3 CVE-2018-11039: Cross-Site Tracing (XST) Spring Web 4.3.10.RELEASE 152701841 Vulnerability 3.6 CVE-2020-5421: Reflected File Download (RFD) Attack Spring Web 4.3.10.RELEASE 152701842 Vulnerability 5.0 CVE-2018-15756: Denial Of Service (DoS) Spring Web MVC 4.3.10.RELEASE 152701843 Vulnerability 5.0 CVE-2018-1199: Security Constraint Bypass Spring Web MVC 4.3.10.RELEASE 152701844 Vulnerability 4.3 CVE-2018-11040: Cross-Domain Request Through Insecure JSONP Defaults Spring Web MVC 4.3.10.RELEASE 152701845 Vulnerability 4.3 CVE-2018-1271: Directory Traversal Spring Web MVC 4.3.10.RELEASE 152701849 Outdated Library 3.0 Latest version at scan: 2.11.0 Apache Commons IO 2.4 152701850 Outdated Library 3.0 Latest version at scan: 1.5.0-b01 JavaMail API (compat) 1.4.7 152701851 Outdated Library 3.0 Latest version at scan: 4.0.1 Java Servlet API 3.0.1 152701852 Outdated Library 3.0 Latest version at scan: 2.4.0-b180830.0359 jaxb-api 2.3.0 152701854 Outdated Library 3.0 Latest version at scan: 4.4 Apache Commons Collections 4.0 152701855 Outdated Library 3.0 Latest version at scan: 2.4.2 Apache Sling Maven Plugin Relocation 2.0.4-incubator 152701857 Outdated Library 3.0 Latest version at scan: 0.4 jBCrypt 0.3m 152701858 Outdated Library 3.0 Latest version at scan: 1.2.3 JSP Encoder 1.2.1 152701859 Outdated Library 3.0 Latest version at scan: 1.2.3 Java Encoder 1.2.1 152701867 License 9.0 Library has High-Risk License Old JAXB Core 2.3.0 152701868 License 9.0 Library has High-Risk License Old JAXB Runtime 2.3.0 152701869 License 9.0 Library has High-Risk License JavaMail API (compat) 1.4.7 152701870 License 9.0 Library has High-Risk License jstl 1.2 152701871 License 9.0 Library has High-Risk License jaxb-api 2.3.0 152701872 License 9.0 Library has High-Risk License mysql-connector-java 5.1.35 157309416 Vulnerability 7.5 CVE-2016-1000027: Remote Code Execution (RCE) Spring Web 4.3.10.RELEASE 168650744 Vulnerability 7.8 CVE-2023-24998: Denial Of Service (DoS) Apache Commons FileUpload 1.3.2 172224398 Vulnerability 5.0 CVE-2023-26464: Denial Of Service (DoS) Apache Log4j 1.2.17 176123273 Vulnerability 6.8 CVE-2023-20861: Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE 179848810 Outdated Library 3.0 Latest version at scan: 4.0.2 Old JAXB Core 2.3.0 179848811 Outdated Library 3.0 Latest version at scan: 4.0.2 Old JAXB Runtime 2.3.0 179848812 Outdated Library 3.0 Latest version at scan: 1.5 Apache Commons FileUpload 1.3.2 179848814 Outdated Library 3.0 Latest version at scan: 21.0.2 Keycloak SAML Core 1.8.1.Final 179848815 Outdated Library 3.0 Latest version at scan: 2.0.7 SLF4J LOG4J-12 Binding relocated 1.7.7 179848816 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring Context 4.3.10.RELEASE 179848817 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring Core 4.3.10.RELEASE 179848818 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring JDBC 4.3.10.RELEASE 179848819 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring Transaction 4.3.10.RELEASE 179848820 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring Web 4.3.10.RELEASE 179848821 Outdated Library 3.0 Latest version at scan: 6.0.8 Spring Web MVC 4.3.10.RELEASE 180180926 Vulnerability 6.8 CVE-2023-20863: Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE 180180927 Outdated Library 3.0 Latest version at scan: 8.0.33 mysql-connector-java 5.1.35 Full Report Details https://sca.analysiscenter.veracode.com/teams/gZZUdoD/scans/49001776
Scan Summary:
PIPELINE_SCAN_VERSION: 23.4.1-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 951a3b29-0cf8-43aa-8aef-f1b9ab386101
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 345688 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 157 issues.
====================details
-------------------------------------
Found 1 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:36
**
Total flaws found: 157, New flaws found: 1 as compared to baseline
**
========================
FAILURE: Found 1 issues!
========================
Scan Summary:
PIPELINE_SCAN_VERSION: 22.11.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 3e890fdf-60a8-4bc1-b7ac-6e5271f70d5c
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 349715 bytes
====================
Analysis Successful.
====================
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 158 issues.
====================
details
-------------------------------------
Found 4 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 14 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:166
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:251
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:316
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:384
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:495
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:506
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
--------------------------------------
Skipping 92 issues of Medium severity.
--------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 18 issues of Informational severity.
---------------------------------------------
=========================
FAILURE: Found 18 issues!
=========================