[Java]: Add JDBC connection SSRF sinks - Githubissues

github / securitylab

Resources related to GitHub Security Lab

https://securitylab.github.com

MIT License

1.41k stars 244 forks source link

[Java]: Add JDBC connection SSRF sinks #548

Closed p0wn4j closed 2 years ago

p0wn4j commented 2 years ago

Query PR

https://github.com/github/codeql/pull/8357

Language

Java

CVE(s) ID list

CWE

CWE-918: Server-Side Request Forgery (SSRF)

Report

JDBC is part of the Java Standard Edition platform, is a Java API, which defines how a client may access a database. JDBC use Connection URL/URI to make connection with specific database

Attacker controllable JDBC URL can lead to SSRF/XSPA. According to the research: Make JDBC Attacks Brilliant Again (https://conference.hitb.org/hitbsecconf2021sin/sessions/make-jdbc-attacks-brilliant-again/), attacker also can gain to Remote Code Exection.

If an application uses MySQL connector, an attacker can achieve RCE via Deserialization attack. PostgreSQL JDBC driver has a CVE-2022-21724 vulnerability, where an attacker can achieve RCE via several JDBC parameters. Also there are attack cases with H2, Apache Derby, ModeShape, SQLite connectors.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

[X] Yes
[ ] No

Blog post link

No response

ghsecuritylab commented 2 years ago

Your submission is now in status Test run.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 2 years ago

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 2 years ago

Your submission is now in status Query review.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 2 years ago

Your submission is now in status Final decision.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 2 years ago

Your submission is now in status Pay.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

xcorail commented 2 years ago

Created Hackerone report 1512936 for bounty 376398 : [548] [Java]: Add JDBC connection SSRF sinks

ghsecuritylab commented 2 years ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

p0wn4j commented 2 years ago

Thanks for the bounty :)