search

juicetin / sca-vulnerable-repo

0 stars 0 forks source link

Vulnerabilities Dashboard - Code #23

Open justin-nullify[bot] opened 5 months ago

justin-nullify[bot] commented 5 months ago

Severity Threshold: 🔵 MEDIUM

7 Potential vulnerability sources found within this repo

🔴 CRITICAL 🟡 HIGH 🔵 MEDIUM ⚪ LOW
0 1 6 0

ID: 01HSDZM5NV1K8JRB2YR5W8SGB3 Language: CloudFormation Severity: 🟡 HIGH CKV_AWS_21

Ensure the S3 bucket has versioning enabled

Read more: https://docs.bridgecrew.io/docs/s3_16-enable-versioning https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/cloudformation-vuln/cloudformation/insecure.yaml#L5-L19 # ID: 01HSDZM5NV1K8JRB2YR0QKD4ZM Language: CloudFormation Severity: 🔵 MEDIUM CKV_AWS_53

Ensure S3 bucket has block public ACLS enabled

Read more: https://docs.bridgecrew.io/docs/bc_aws_s3_19 https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/cloudformation-vuln/cloudformation/insecure.yaml#L5-L19 # ID: 01HSDZM5NV1K8JRB2YR4BHNQ50 Language: CloudFormation Severity: 🔵 MEDIUM CKV_AWS_54

Ensure S3 bucket has block public policy enabled

Read more: https://docs.bridgecrew.io/docs/bc_aws_s3_20 https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/cloudformation-vuln/cloudformation/insecure.yaml#L5-L19 # ID: 01HSDZM5NV1K8JRB2YRBH86SYT Language: Java Severity: 🔵 MEDIUM CWE-352

Java csrf rule springcsrfdisabled

The application fails to protect against Cross-Site Request Forgery (CSRF) due to disabling Spring's CSRF protection features.

The vulnerability can be exploited by an adversary creating a link or form on a third party site and tricking an authenticated victim to access them.

To remediate this issue, remove the call to HttpSecurity.csrf().disable() or remove the custom CsrfConfigurer.

For more information on CSRF protection in Spring see: https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#servlet-csrf

Additionally, consider setting all session cookies to have the SameSite=Strict attribute. It should be noted that this may impact usability when sharing links across other mediums. It is recommended that a two cookie based approach is taken, as outlined in the Top level navigations section of the SameSite RFC.

For more information on CSRF see OWASP's guide: https://owasp.org/www-community/attacks/csrf

https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/BackOfficeSystem/src/main/java/com/banking/BackOfficeSystem/config/SecurityConfig.java#L83-L94 # ID: 01HSDZM5NV1K8JRB2YRE41FVYS Language: Java Severity: 🔵 MEDIUM CWE-352

Java csrf rule springcsrfdisabled

The application fails to protect against Cross-Site Request Forgery (CSRF) due to disabling Spring's CSRF protection features.

The vulnerability can be exploited by an adversary creating a link or form on a third party site and tricking an authenticated victim to access them.

To remediate this issue, remove the call to HttpSecurity.csrf().disable() or remove the custom CsrfConfigurer.

For more information on CSRF protection in Spring see: https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#servlet-csrf

Additionally, consider setting all session cookies to have the SameSite=Strict attribute. It should be noted that this may impact usability when sharing links across other mediums. It is recommended that a two cookie based approach is taken, as outlined in the Top level navigations section of the SameSite RFC.

For more information on CSRF see OWASP's guide: https://owasp.org/www-community/attacks/csrf

https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/OnlineBanking/src/main/java/com/banking/OnlineBanking/config/SecurityConfig.java#L97-L108 # ID: 01HSDZM5NV1K8JRB2YRGB0R6JE Language: Java Severity: 🔵 MEDIUM CWE-359

PII data is written to the log files

Sensitive Data written to log files or file system may lead to unauthorized access or exposure to potential attack. https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/BankData/src/main/java/com/common/BankData/service/UserSecurityService.java#L28 # ID: 01HSDZM5NV1K8JRB2YRK98PQPM Language: Java Severity: 🔵 MEDIUM CWE-532

PII data is written to the log files

Sensitive Data written to log files or file system may lead to unauthorized access or exposure to potential attack. https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/BankData/src/main/java/com/common/BankData/service/UserSecurityService.java#L28

Reply with /nullify to interact with me like another developer

justin-nullify[bot] commented 5 months ago

New code security updates for commit fa1236e3999f5d7b58f6b6efdb11c15b9e899e18

New Fixed Allowlisted Unallowlisted
7 0 4 0
See Details ### New Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HSDZ1Y30ZF1KPPPYXWT0K3D1 | Ensure S3 bucket has block public ACLS enabled | cloudformation-vuln/cloudformation/insecure.yaml | 5 | 0 | | 01HSDZ1Y30ZF1KPPPYY0DYT98M | Ensure S3 bucket has block public policy enabled | cloudformation-vuln/cloudformation/insecure.yaml | 5 | 0 | | 01HSDZ1Y30ZF1KPPPYY12R26WW | Ensure the S3 bucket has versioning enabled | cloudformation-vuln/cloudformation/insecure.yaml | 5 | 0 | | 01HSDZ1Y30ZF1KPPPYXSEBS9EZ | Ensure EKS Cluster has Secrets Encryption Enabled | cloudformation-vuln/cloudformation/eks/eks_vuln.yaml | 439 | 0 | | 01HSDZ1Y30ZF1KPPPYY1Q2W3NA | Ensure every security groups rule has a description | cloudformation-vuln/cloudformation/regular.json | 309 | 0 | | 01HSDZ1Y30ZF1KPPPYY5BKB8A8 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | cloudformation-vuln/cloudformation/regular.json | 309 | 0 | | 01HSDZ1Y30ZF1KPPPYY6BCWSN5 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | cloudformation-vuln/cloudformation/regular.json | 309 | 0 | ### New Allowlisted Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HSDZ1Y30ZF1KPPPYXSEBS9EZ | Ensure EKS Cluster has Secrets Encryption Enabled | cloudformation-vuln/cloudformation/eks/eks_vuln.yaml | 439 | 0 | | 01HSDZ1Y30ZF1KPPPYY1Q2W3NA | Ensure every security groups rule has a description | cloudformation-vuln/cloudformation/regular.json | 309 | 0 | | 01HSDZ1Y30ZF1KPPPYY5BKB8A8 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | cloudformation-vuln/cloudformation/regular.json | 309 | 0 | | 01HSDZ1Y30ZF1KPPPYY6BCWSN5 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | cloudformation-vuln/cloudformation/regular.json | 309 | 0 |
justin-nullify[bot] commented 5 months ago

New code security updates for commit bcccacd8a14072a06d41aa2516f7841b38ddfacf

New Fixed Allowlisted Unallowlisted
4 0 0 0
See Details ### New Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HSDZ3H8BCYSWQ5Z38FSQC3HV | Java csrf rule springcsrfdisabled | BackOfficeSystem/src/main/java/com/banking/BackOfficeSystem/config/SecurityConfig.java | 83 | 352 | | 01HSDZ3H8BCYSWQ5Z38JQ5G82Y | Java csrf rule springcsrfdisabled | OnlineBanking/src/main/java/com/banking/OnlineBanking/config/SecurityConfig.java | 97 | 352 | | 01HSDZ3H8BCYSWQ5Z38NZ7A1DS | PII data is written to the log files | BankData/src/main/java/com/common/BankData/service/UserSecurityService.java | 28 | 359 | | 01HSDZ3H8BCYSWQ5Z38RT4TJ0M | PII data is written to the log files | BankData/src/main/java/com/common/BankData/service/UserSecurityService.java | 28 | 532 |
justin-nullify[bot] commented 5 months ago

New code security updates for commit abc4e7517de2c372ed2688ae0a94921a86c6165b

New Fixed Allowlisted Unallowlisted
0 4 0 0
See Details ### New Fixed Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HSDZ3H8BCYSWQ5Z38NZ7A1DS | PII data is written to the log files | BankData/src/main/java/com/common/BankData/service/UserSecurityService.java | 28 | 359 | | 01HSDZ3H8BCYSWQ5Z38FSQC3HV | Java csrf rule springcsrfdisabled | BackOfficeSystem/src/main/java/com/banking/BackOfficeSystem/config/SecurityConfig.java | 83 | 352 | | 01HSDZ3H8BCYSWQ5Z38RT4TJ0M | PII data is written to the log files | BankData/src/main/java/com/common/BankData/service/UserSecurityService.java | 28 | 532 | | 01HSDZ3H8BCYSWQ5Z38JQ5G82Y | Java csrf rule springcsrfdisabled | OnlineBanking/src/main/java/com/banking/OnlineBanking/config/SecurityConfig.java | 97 | 352 |
justin-nullify[bot] commented 5 months ago

New code security updates for commit 9ecd285aa98d4efb53a3d08f37612bd9cd704407

New Fixed Allowlisted Unallowlisted
4 0 0 0
See Details ### New Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HSDZM5NV1K8JRB2YRBH86SYT | Java csrf rule springcsrfdisabled | BackOfficeSystem/src/main/java/com/banking/BackOfficeSystem/config/SecurityConfig.java | 83 | 352 | | 01HSDZM5NV1K8JRB2YRE41FVYS | Java csrf rule springcsrfdisabled | OnlineBanking/src/main/java/com/banking/OnlineBanking/config/SecurityConfig.java | 97 | 352 | | 01HSDZM5NV1K8JRB2YRGB0R6JE | PII data is written to the log files | BankData/src/main/java/com/common/BankData/service/UserSecurityService.java | 28 | 359 | | 01HSDZM5NV1K8JRB2YRK98PQPM | PII data is written to the log files | BankData/src/main/java/com/common/BankData/service/UserSecurityService.java | 28 | 532 |