JoshRMendDemo / Java-Demo

Apache License 2.0
0 stars 0 forks source link

Code Security Report: 12 high severity findings, 27 total findings #19

Open mend-for-github-com[bot] opened 1 year ago

mend-for-github-com[bot] commented 1 year ago

Code Security Report

Scan Metadata

Latest Scan: 2024-07-29 02:15pm Total Findings: 27 | New Findings: 0 | Resolved Findings: 0 Tested Project Files: 109 Detected Programming Languages: 2 (JavaScript / TypeScript, Java)

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

SeverityVulnerability TypeCWEFileData FlowsDate
HighSQL Injection [CWE-89](https://cwe.mitre.org/data/definitions/89.html) [SQLInjectionServlet.java:69](https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L69) 12024-07-25 02:09pm
Vulnerable Code https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L64-L69
1 Data Flow/s detected
https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L27 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L45 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L60 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java#L69
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/java/vanilla) ● Videos    ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading    ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)    ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)
 
HighExpression Language Injection [CWE-917](https://cwe.mitre.org/data/definitions/917.html) [OGNLExpressionInjectionServlet.java:35](https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java#L35) 12024-07-25 02:09pm
Vulnerable Code https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java#L30-L35
1 Data Flow/s detected
https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java#L31 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java#L34 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java#L35
Secure Code Warrior Training Material ● Further Reading    ▪ [OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs)    ▪ [OWASP Injection Prevention Cheat Sheet in Java](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)    ▪ [OWASP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP Top Ten 2021 A03: Injection](https://owasp.org/Top10/A03_2021-Injection/)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [NullByteInjectionServlet.java:47](https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L47) 12024-07-25 02:09pm
Vulnerable Code https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L42-L47
1 Data Flow/s detected
https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L35 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L40 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L46 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/NullByteInjectionServlet.java#L47
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/java/vanilla) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighCode Injection [CWE-94](https://cwe.mitre.org/data/definitions/94.html) [CodeInjectionServlet.java:65](https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L65) 12024-07-25 02:09pm
Vulnerable Code https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L60-L65
1 Data Flow/s detected
https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L25 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L44 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L45 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L46 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L47 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L61 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java#L65
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/java/vanilla) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)    ▪ [SEI CERT Oracle Coding Standard for Java - Prevent Code Injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS52-J.+Prevent+code+injection)
 
HighCross-Site Scripting [CWE-79](https://cwe.mitre.org/data/definitions/79.html) [AbstractServlet.java:94](https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L94) 122024-07-25 02:09pm
Vulnerable Code https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L89-L94
12 Data Flow/s detected
View Data Flow 1 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java#L21 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java#L31 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java#L30 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java#L44 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L31 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L94
View Data Flow 2 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java#L22 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java#L30 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java#L43 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L31 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L94
View Data Flow 3 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L27 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L42 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L54 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L31 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java#L94
[View more Data Flows](https://saas.mend.io/app/orgs/JoshR-Demo-Github/scans/138da812-2738-4884-8605-208d95348b54/sast?project=fd1412f1-2b1d-44b8-8ef2-def6b771aefa&findingSnapshotId=9f15cbd4-81cf-43c3-a211-92d6b6b38ad2&filtered=yes)
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Cross-Site Scripting Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/xss/reflected/java/vanilla) ● Videos    ▪ [Secure Code Warrior Cross-Site Scripting Video](https://media.securecodewarrior.com/v2/module_73_reflected_cross_site_scripting.mp4)
 
HighServer Side Request Forgery [CWE-918](https://cwe.mitre.org/data/definitions/918.html) [NetworkSocketLeakServlet.java:34](https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L34) 12024-07-25 02:09pm
Vulnerable Code https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L29-L34
1 Data Flow/s detected
https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L27 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L31 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java#L34
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Server Side Request Forgery Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/ssrf/generic/java/vanilla) ● Videos    ▪ [Secure Code Warrior Server Side Request Forgery Video](https://media.securecodewarrior.com/v2/module_125_server_side_request_forgery.mp4)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [UnrestrictedSizeUploadServlet.java:127](https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L127) 12024-07-25 02:09pm
Vulnerable Code https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L122-L127
1 Data Flow/s detected
https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L70 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L71 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L71 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L84 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L111 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L127
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/java/vanilla) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [UnrestrictedSizeUploadServlet.java:114](https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L114) 12024-07-25 02:09pm
Vulnerable Code https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L109-L114
1 Data Flow/s detected
https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L70 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L71 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L71 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L84 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L111 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L114
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/java/vanilla) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [MultiPartFileUtils.java:33](https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L33) 32024-07-25 02:09pm
Vulnerable Code https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L28-L33
3 Data Flow/s detected
View Data Flow 1 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java#L141 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java#L148 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java#L148 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java#L157 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L28 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L33
View Data Flow 2 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L69 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L76 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L76 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java#L81 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L28 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L33
View Data Flow 3 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L70 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L71 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L71 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java#L80 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L28 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L33
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/java/vanilla) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [MailHeaderInjectionServlet.java:138](https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L138) 12024-07-25 02:09pm
Vulnerable Code https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L133-L138
1 Data Flow/s detected
https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L125 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L127 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L56 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L57 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/core/utils/MultiPartFileUtils.java#L59 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L127 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L133 https://github.com/JoshRMendDemo/Java-Demo/blob/827843f06c7e311dcb2990c36a9603bb1aa96e48/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java#L138
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/java/vanilla) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

Findings Overview

Severity Vulnerability Type CWE Language Count
High Path/Directory Traversal CWE-22 Java* 7
High Code Injection CWE-94 Java* 1
High Expression Language Injection CWE-917 Java* 1
High Cross-Site Scripting CWE-79 Java* 1
High SQL Injection CWE-89 Java* 1
High Server Side Request Forgery CWE-918 Java* 1
Medium Insufficient Transport Layer Protection CWE-319 Java* 1
Medium XML External Entity (XXE) Injection CWE-611 Java* 1
Medium Trust Boundary Violation CWE-501 Java* 5
Medium Error Messages Information Exposure CWE-209 Java* 1
Medium Readline Denial of Service CWE-400 Java* 1
Low Unvalidated/Open Redirect CWE-601 Java* 4
Low Log Forging CWE-117 Java* 1
Low HTTP Header Injection CWE-113 Java* 1