Closed p0wn4j closed 2 years ago
Your submission is now in status Test run.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Your submission is now in status Results analysis.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Your submission is now in status Query review.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Your submission is now in status Final decision.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Your submission is now in status Pay.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Created Hackerone report 1512936 for bounty 376398 : [548] [Java]: Add JDBC connection SSRF sinks
Your submission is now in status Closed.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Thanks for the bounty :)
Query PR
https://github.com/github/codeql/pull/8357
Language
Java
CVE(s) ID list
CVE-2020-21122
CWE
CWE-918: Server-Side Request Forgery (SSRF)
Report
JDBC is part of the Java Standard Edition platform, is a Java API, which defines how a client may access a database. JDBC use Connection URL/URI to make connection with specific database
Attacker controllable JDBC URL can lead to SSRF/XSPA. According to the research: Make JDBC Attacks Brilliant Again (https://conference.hitb.org/hitbsecconf2021sin/sessions/make-jdbc-attacks-brilliant-again/), attacker also can gain to Remote Code Exection.
If an application uses MySQL connector, an attacker can achieve RCE via Deserialization attack. PostgreSQL JDBC driver has a CVE-2022-21724 vulnerability, where an attacker can achieve RCE via several JDBC parameters. Also there are attack cases with H2, Apache Derby, ModeShape, SQLite connectors.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response