Information Exposure Through an Error Message [VID:209:com/veracode/verademo/controller/UserController.java:949]

[github-actions[bot]]

https://github.com/gwhittemore-veracode/Veracode-GW-Training-demo/blob/2add22ec1b5a85a51e5134a9af33bf2e99488d44/com/veracode/verademo/controller/UserController.java#L944-L954

Filename: com/veracode/verademo/controller/UserController.java

Line: 949

CWE: 209 (Information Exposure Through an Error Message)

The application calls the javax.mail.Transport.send() function, which may expose information about the application logic or other details such as the names and versions of the application container and associated components. This information can be useful in executing other attacks and can also enable the attacker to target known vulnerabilities in application components. The first argument to send() contains data from an error message (possibly containing untrusted data) from the variable message. The data from an error message (possibly containing untrusted data) originated from earlier calls to java.lang.NullPointerException.getMessage, java.lang.Throwable.getMessage, and java.lang.Throwable.printStackTrace. Ensure that error codes or other messages returned to end users are not overly verbose. Sanitize all messages of any sensitive information that is not absolutely necessary. References: CWE

[github-actions[bot]]

Veracode issue link to PR: https://github.com/gwhittemore-veracode/Veracode-GW-Training-demo/pull/7

[github-actions[bot]]

Veracode issue link to PR: https://github.com/gwhittemore-veracode/Veracode-GW-Training-demo/pull/174