Connection_String_Injection @ /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java #61
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Checkmarx (SAST): Connection_String_Injection
Security Issue: Read More about Connection_String_Injection
Applications: Kelseys-repos, All Projects, SCA examples, JVL
Checkmarx Project: ksalman-Cx-org-NA-kelsey-na/JavaVulnerableLab-base
Repository URL: https://github.com/ksalman-Cx-org-NA-kelsey-na/JavaVulnerableLab-base
Branch: master
Scan ID: 579aec21-676f-40f9-bdda-e11a607b1c21
The application's setup method receives untrusted, user-controlled data, and uses this data to connect to a database using dburl, at line 112 of /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java. This may enable a Connection String Injection attack.
The attacker can inject the connection string via user input, ""dburl"", which is retrieved by the application in the processRequest method, at line 54 of /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java.
Result #1:
Severity: HIGH
State: CONFIRMED
Status: RECURRENT
Attack Vector:
1. ""dburl"": /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java[54,38]
2. getParameter: /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java[54,37]
3. dburl: /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java[54,9]
4. setup: /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java[87,21]
5. dburl: /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java[112,65]
Review result in Checkmarx One: Connection_String_Injection
The text was updated successfully, but these errors were encountered: