github-actions[bot]
commented
2 years ago Veracode issue link to PR: https://github.com/gwhittemore-veracode/Veracode-GW-training/pull/189
Open github-actions[bot] opened 2 years ago
github-actions[bot]
commented
2 years ago Veracode issue link to PR: https://github.com/gwhittemore-veracode/Veracode-GW-training/pull/189
https://github.com/gwhittemore-veracode/Veracode-GW-training/blob/3e6598b8340cfd817470866404f9c90179a22e60/com/veracode/verademo/utils/UserFactory.java#L39-L49
Filename: com/veracode/verademo/utils/UserFactory.java
Line: 44
CWE: 502 (Deserialization of Untrusted Data)
The serialized-object data stream used in the call to java.io.ObjectInput.readObject() appears to have been constructed with untrusted data. Attacker manipulation of this stream has the ability to cause the creation of objects of arbitrary Serializable types. Paired with a weakness in another class's constructor, this could result in a denial of service, code execution, or data corruption vulnerability. readObject() was called on the in object, which contains tainted data. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getCookies. Avoid passing untrusted data; if the data is untrusted, consider switching to a safer serialization scheme such as JSON. References: CWE