Open justin-nullify[bot] opened 5 months ago
New code security updates for commit fa1236e3999f5d7b58f6b6efdb11c15b9e899e18
New | Fixed | Allowlisted | Unallowlisted |
---|---|---|---|
7 | 0 | 4 | 0 |
New code security updates for commit bcccacd8a14072a06d41aa2516f7841b38ddfacf
New | Fixed | Allowlisted | Unallowlisted |
---|---|---|---|
4 | 0 | 0 | 0 |
New code security updates for commit abc4e7517de2c372ed2688ae0a94921a86c6165b
New | Fixed | Allowlisted | Unallowlisted |
---|---|---|---|
0 | 4 | 0 | 0 |
New code security updates for commit 9ecd285aa98d4efb53a3d08f37612bd9cd704407
New | Fixed | Allowlisted | Unallowlisted |
---|---|---|---|
4 | 0 | 0 | 0 |
Severity Threshold: 🔵 MEDIUM
7 Potential vulnerability sources found within this repo
🔴 CRITICAL
🟡 HIGH
🔵 MEDIUM
⚪ LOW
ID: 01HSDZM5NV1K8JRB2YR5W8SGB3
Language: CloudFormation
Severity: 🟡 HIGH
CKV_AWS_21
Ensure the S3 bucket has versioning enabled
Read more: https://docs.bridgecrew.io/docs/s3_16-enable-versioning https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/cloudformation-vuln/cloudformation/insecure.yaml#L5-L19 #
ID: 01HSDZM5NV1K8JRB2YR0QKD4ZM
Language: CloudFormation
Severity: 🔵 MEDIUM
CKV_AWS_53
Ensure S3 bucket has block public ACLS enabled
Read more: https://docs.bridgecrew.io/docs/bc_aws_s3_19 https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/cloudformation-vuln/cloudformation/insecure.yaml#L5-L19 #
ID: 01HSDZM5NV1K8JRB2YR4BHNQ50
Language: CloudFormation
Severity: 🔵 MEDIUM
CKV_AWS_54
Ensure S3 bucket has block public policy enabled
Read more: https://docs.bridgecrew.io/docs/bc_aws_s3_20 https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/cloudformation-vuln/cloudformation/insecure.yaml#L5-L19 #
ID: 01HSDZM5NV1K8JRB2YRBH86SYT
Language: Java
Severity: 🔵 MEDIUM
CWE-352
Java csrf rule springcsrfdisabled
The application fails to protect against Cross-Site Request Forgery (CSRF) due to disabling Spring's CSRF protection features.
The vulnerability can be exploited by an adversary creating a link or form on a third party site and tricking an authenticated victim to access them.
To remediate this issue, remove the call to
HttpSecurity.csrf().disable()
or remove the customCsrfConfigurer
.For more information on CSRF protection in Spring see: https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#servlet-csrf
Additionally, consider setting all session cookies to have the
SameSite=Strict
attribute. It should be noted that this may impact usability when sharing links across other mediums. It is recommended that a two cookie based approach is taken, as outlined in the Top level navigations section of the SameSite RFC.For more information on CSRF see OWASP's guide: https://owasp.org/www-community/attacks/csrf
https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/BackOfficeSystem/src/main/java/com/banking/BackOfficeSystem/config/SecurityConfig.java#L83-L94 #
ID: 01HSDZM5NV1K8JRB2YRE41FVYS
Language: Java
Severity: 🔵 MEDIUM
CWE-352
Java csrf rule springcsrfdisabled
The application fails to protect against Cross-Site Request Forgery (CSRF) due to disabling Spring's CSRF protection features.
The vulnerability can be exploited by an adversary creating a link or form on a third party site and tricking an authenticated victim to access them.
To remediate this issue, remove the call to
HttpSecurity.csrf().disable()
or remove the customCsrfConfigurer
.For more information on CSRF protection in Spring see: https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#servlet-csrf
Additionally, consider setting all session cookies to have the
SameSite=Strict
attribute. It should be noted that this may impact usability when sharing links across other mediums. It is recommended that a two cookie based approach is taken, as outlined in the Top level navigations section of the SameSite RFC.For more information on CSRF see OWASP's guide: https://owasp.org/www-community/attacks/csrf
https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/OnlineBanking/src/main/java/com/banking/OnlineBanking/config/SecurityConfig.java#L97-L108 #
ID: 01HSDZM5NV1K8JRB2YRGB0R6JE
Language: Java
Severity: 🔵 MEDIUM
CWE-359
PII data is written to the log files
Sensitive Data written to log files or file system may lead to unauthorized access or exposure to potential attack. https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/BankData/src/main/java/com/common/BankData/service/UserSecurityService.java#L28 #
ID: 01HSDZM5NV1K8JRB2YRK98PQPM
Language: Java
Severity: 🔵 MEDIUM
CWE-532
PII data is written to the log files
Sensitive Data written to log files or file system may lead to unauthorized access or exposure to potential attack. https://github.com/juicetin/sca-vulnerable-repo/blob/9ecd285aa98d4efb53a3d08f37612bd9cd704407/BankData/src/main/java/com/common/BankData/service/UserSecurityService.java#L28
Reply with
/nullify
to interact with me like another developer