Closed pyn3rd closed 1 year ago
BTW, could I create a report in HackerOne Bug Bounty Platform for your program? Like this one: https://hackerone.com/reports/1512936
Hello @pyn3rd :wave: GitHub Security Lab has two types of bug bounty programs—CodeQL All for one (write a CodeQL query and have it merged in the upstream CodeQL repository) and Bug Slayer (disclose and fix vulnerabilities in open source projects).
Unfortunately since you are not the author of the CodeQL query, we cannot award bounty in this category. The submission would be eligible for the bounty in the Bug Slayer program, if the vulnerabilities were found in open source projects. However, since the projects aren’t open source, we cannot award bounty in this category either.
We encourage you to create new or extend existing CodeQL queries to be eligible for bounty in CodeQL All for one category or disclose and fix vulnerabilities in open source projects with the queries for the Bug Slayer category! If you would be interested in running CodeQL queries at scale to find vulnerabilities in open source projects (for example, using the JDBC query you linked to), we suggest using MRVA—MRVA can run a given CodeQL query against a thousand open source projects hosted at GitHub at once using the built-in project lists or your own lists.
Good luck & happy hacking!
Your submission is now in status Closed.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Query PR
github/codeql#8357
Language
Java
CVE(s) ID list
https://www.ibm.com/support/pages/node/7010029
CVE-2023-27869, CVE-2023-27867, CVE-2023-27868
CWE
No response
Report
JDBC is the basic implementation of Java Applications. It is a fundamental Java API, which is utilized to specify how to connect diverse databases. However, different vendors have the implementation for their own databases. Like Oracle DB, IBM DB2, MySQL, PostgreSQL, etc.
The attackers are able to construct the malicious JDBC URL to conduct the RCE with the particular JDBC properties.
If there is an application that includes the IBM DB2 JDBC driver, the attacker definitely can trigger the RCE according to my reports.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response