Skip to content

AutoFix PR #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nishfath wants to merge 21 commits into
base: nishfath-patch-12
Choose a base branch
from
Open

AutoFix PR #30

nishfath wants to merge 21 commits into from

Conversation

@nishfath
Copy link
Owner

@nishfath nishfath commented Dec 4, 2025
edited
Loading

Qwiet AI AutoFix

This PR was created automatically by the Qwiet AI AutoFix tool.
As long as it is open, subsequent scans and generated fixes to this same branch will be added to it as new commits.

Each commit fixes one vulnerability.

Some manual intervention might be required before merging this PR.

Project Information

Findings/Vulnerabilities Fixed

Finding 61: Directory Traversal: Attacker-controlled Data Used in File Path via multifile in FileUpload.uploadPicture

Vulnerability Description

Attacker-Controlled input data is used as part of a file path to write a file without escaping or validation. This indicates a directory traversal vulnerability.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 22
  • Category: Directory Traversal
Commits/Files Changed

Finding 67: Directory Traversal: Attacker-controlled Data Used in File Path via url in SSRF.openStream

Vulnerability Description

Attacker-Controlled input data is used as part of a file path to write a file without escaping or validation. This indicates a directory traversal vulnerability.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 22
  • Category: Directory Traversal
Commits/Files Changed

Finding 226: Remote Code Execution: Application Starts a Java Remote Method Invocation (RMI) Server in Server.main

Vulnerability Description

The application listens for connections via the Java Remote Method Invocation (RMI) protocol. By default this allows clients to execute arbitrary code on the server. Ensure you follow best practices of RMI deployment and consider migrating to another RPC protocol.

  • Severity: high
  • CVSS Score: 8 (high)
  • CWE: 94, 419
  • Category: Remote Code Execution
Commits/Files Changed

Finding 60: Directory Traversal: Attacker-controlled Data Used in File Path via multifile in FileUpload.uploadPicture

Vulnerability Description

Attacker-Controlled input data is used as part of a file path to write a file without escaping or validation. This indicates a directory traversal vulnerability.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 22
  • Category: Directory Traversal
Commits/Files Changed

Finding 59: Directory Traversal: Attacker-controlled Data Used in File Path via multifile in FileUpload.uploadPicture

Vulnerability Description

Attacker-Controlled input data is used as part of a file path to write a file without escaping or validation. This indicates a directory traversal vulnerability.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 22
  • Category: Directory Traversal
Commits/Files Changed

Finding 66: Directory Traversal: Attacker-controlled Data Used in File Path via url in SSRF.openStream

Vulnerability Description

Attacker-Controlled input data is used as part of a file path to write a file without escaping or validation. This indicates a directory traversal vulnerability.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 22
  • Category: Directory Traversal
Commits/Files Changed

Finding 185: XML External Entities: Attacker-controlled Data Parsed as XML in WebUtils.getRequestBody

Vulnerability Description

Attacker-controlled data is parsed as XML. This indicates an XML External Entities (XXE) or other XML-based vulnerability like billion laughs.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 611, 91
  • Category: XML External Entities
Commits/Files Changed

Finding 177: XML External Entities: Attacker-controlled Data Parsed as XML in WebUtils.getRequestBody

Vulnerability Description

Attacker-controlled data is parsed as XML. This indicates an XML External Entities (XXE) or other XML-based vulnerability like billion laughs.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 611, 91
  • Category: XML External Entities
Commits/Files Changed

Finding 178: XML External Entities: Attacker-controlled Data Parsed as XML in WebUtils.getRequestBody

Vulnerability Description

Attacker-controlled data is parsed as XML. This indicates an XML External Entities (XXE) or other XML-based vulnerability like billion laughs.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 611, 91
  • Category: XML External Entities
Commits/Files Changed

Finding 179: XML External Entities: Attacker-controlled Data Parsed as XML in WebUtils.getRequestBody

Vulnerability Description

Attacker-controlled data is parsed as XML. This indicates an XML External Entities (XXE) or other XML-based vulnerability like billion laughs.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 611, 91
  • Category: XML External Entities
Commits/Files Changed

Finding 182: XML External Entities: Attacker-controlled Data Parsed as XML in WebUtils.getRequestBody

Vulnerability Description

Attacker-controlled data is parsed as XML. This indicates an XML External Entities (XXE) or other XML-based vulnerability like billion laughs.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 611, 91
  • Category: XML External Entities
Commits/Files Changed

Finding 181: XML External Entities: Attacker-controlled Data Parsed as XML in WebUtils.getRequestBody

Vulnerability Description

Attacker-controlled data is parsed as XML. This indicates an XML External Entities (XXE) or other XML-based vulnerability like billion laughs.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 611, 91
  • Category: XML External Entities
Commits/Files Changed

Finding 186: XML External Entities: Attacker-controlled Data Parsed as XML via file in xlsxStreamerXXE.xllx_streamer_xxe

Vulnerability Description

Attacker-controlled data is parsed as XML. This indicates an XML External Entities (XXE) or other XML-based vulnerability like billion laughs.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 611, 91
  • Category: XML External Entities
Commits/Files Changed

Finding 184: XML External Entities: Attacker-controlled Data Parsed as XML in WebUtils.getRequestBody

Vulnerability Description

Attacker-controlled data is parsed as XML. This indicates an XML External Entities (XXE) or other XML-based vulnerability like billion laughs.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 611, 91
  • Category: XML External Entities
Commits/Files Changed

Finding 180: XML External Entities: Attacker-controlled Data Parsed as XML in WebUtils.getRequestBody

Vulnerability Description

Attacker-controlled data is parsed as XML. This indicates an XML External Entities (XXE) or other XML-based vulnerability like billion laughs.

  • Severity: critical
  • CVSS Score: 9 (critical)
  • CWE: 611, 91
  • Category: XML External Entities
Commits/Files Changed

Qwiet AI added 21 commits December 4, 2025 18:42
@nishfath
Fixing src/main/java/org/joychou/controller/FileUpload.java for findi…
f924a68 
…ng 61
@nishfath
Fixing src/main/java/org/joychou/controller/SSRF.java for finding 67
a2d1378
@nishfath
Fixing src/main/java/org/joychou/util/WebUtils.java for finding 67
80685c2
@nishfath
Fixing src/main/java/org/joychou/RMI/Server.java for finding 226
eacad67
@nishfath
Fixing src/main/java/org/joychou/controller/FileUpload.java for findi…
9c3e7ed 
…ng 60
@nishfath
Fixing src/main/java/org/joychou/controller/FileUpload.java for findi…
9692659 
…ng 59
@nishfath
Fixing src/main/java/org/joychou/util/WebUtils.java for finding 66
35bd59a
@nishfath
Fixing src/main/java/org/joychou/controller/SSRF.java for finding 66
1b4e82a
@nishfath
Fixing src/main/java/org/joychou/controller/XXE.java for finding 185
e934829
@nishfath
Fixing src/main/java/org/joychou/controller/XXE.java for finding 177
06479b3
@nishfath
Fixing src/main/java/org/joychou/controller/XXE.java for finding 178
7bd7599
@nishfath
Fixing src/main/java/org/joychou/controller/XXE.java for finding 183
73da0d2
@nishfath
Fixing src/main/java/org/joychou/controller/XXE.java for finding 179
76c2504
@nishfath
Fixing src/main/java/org/joychou/controller/XXE.java for finding 182
4501dfe
@nishfath
Fixing src/main/java/org/joychou/util/WebUtils.java for finding 182
37e6cc0
@nishfath
Fixing src/main/java/org/joychou/controller/XXE.java for finding 181
322edfd
@nishfath
Fixing src/main/java/org/joychou/controller/othervulns/xlsxStreamerXX…
1d81012 
…E.java for finding 186
@nishfath
Fixing src/main/java/org/joychou/controller/XXE.java for finding 184
73a8f7f
@nishfath
Fixing src/main/java/org/joychou/util/WebUtils.java for finding 184
d3fdeb0
@nishfath
Fixing src/main/java/org/joychou/controller/XXE.java for finding 180
40c6549
@nishfath
Fixing src/main/java/org/joychou/util/WebUtils.java for finding 180
60d9bec
@github-actions
Copy link

github-actions bot commented Dec 4, 2025

Qwiet LogoQwiet Logo

Checking analysis of application java-sec-code-test against 1 build rules.

Using sl version 0.9.3567 (eb2f81dd6d0ae77292902712c2f3aeab7f7b1708).

Checking findings on scan 10.

Results per rule:

  • report: FAIL
    (619 matched vulnerabilities; configured threshold is 0).

    First 5 findings:

        ID   CVSS    Rating    CVE              Title                                                                                                                                                     
     255   10.0   critical   CVE-2018-14721   FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
     547   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     554   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     245    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     247    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     Severity rating   Count 
     Critical             95 
     High                242 
     Medium              165 
     Low                 115 
     Finding Type     Count 
     Oss_vuln           370 
     Vuln               217 
     Security_issue      30 
     Secret               2 
     OWASP 2021 Category                              Count 
     A03-Injection                                       66 
     A09-Security-Logging-And-Monitoring-Failures        53 
     A01-Broken-Access-Control                           50 
     A05-Security-Misconfiguration                       46 
     A10-Server-Side-Request-Forgery-(Ssrf)              25 
     A08-Software-And-Data-Integrity-Failures             5 
     A07-Identification-And-Authentication-Failures       1 
     A02-Cryptographic-Failures                           1 

1 rule failed.

7 similar comments
@github-actions
Copy link

github-actions bot commented Dec 4, 2025

Qwiet LogoQwiet Logo

Checking analysis of application java-sec-code-test against 1 build rules.

Using sl version 0.9.3567 (eb2f81dd6d0ae77292902712c2f3aeab7f7b1708).

Checking findings on scan 10.

Results per rule:

  • report: FAIL
    (619 matched vulnerabilities; configured threshold is 0).

    First 5 findings:

        ID   CVSS    Rating    CVE              Title                                                                                                                                                     
     255   10.0   critical   CVE-2018-14721   FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
     547   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     554   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     245    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     247    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     Severity rating   Count 
     Critical             95 
     High                242 
     Medium              165 
     Low                 115 
     Finding Type     Count 
     Oss_vuln           370 
     Vuln               217 
     Security_issue      30 
     Secret               2 
     OWASP 2021 Category                              Count 
     A03-Injection                                       66 
     A09-Security-Logging-And-Monitoring-Failures        53 
     A01-Broken-Access-Control                           50 
     A05-Security-Misconfiguration                       46 
     A10-Server-Side-Request-Forgery-(Ssrf)              25 
     A08-Software-And-Data-Integrity-Failures             5 
     A07-Identification-And-Authentication-Failures       1 
     A02-Cryptographic-Failures                           1 

1 rule failed.

@github-actions
Copy link

github-actions bot commented Dec 4, 2025

Qwiet LogoQwiet Logo

Checking analysis of application java-sec-code-test against 1 build rules.

Using sl version 0.9.3567 (eb2f81dd6d0ae77292902712c2f3aeab7f7b1708).

Checking findings on scan 10.

Results per rule:

  • report: FAIL
    (619 matched vulnerabilities; configured threshold is 0).

    First 5 findings:

        ID   CVSS    Rating    CVE              Title                                                                                                                                                     
     255   10.0   critical   CVE-2018-14721   FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
     547   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     554   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     245    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     247    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     Severity rating   Count 
     Critical             95 
     High                242 
     Medium              165 
     Low                 115 
     Finding Type     Count 
     Oss_vuln           370 
     Vuln               217 
     Security_issue      30 
     Secret               2 
     OWASP 2021 Category                              Count 
     A03-Injection                                       66 
     A09-Security-Logging-And-Monitoring-Failures        53 
     A01-Broken-Access-Control                           50 
     A05-Security-Misconfiguration                       46 
     A10-Server-Side-Request-Forgery-(Ssrf)              25 
     A08-Software-And-Data-Integrity-Failures             5 
     A07-Identification-And-Authentication-Failures       1 
     A02-Cryptographic-Failures                           1 

1 rule failed.

@github-actions
Copy link

github-actions bot commented Dec 4, 2025

Qwiet LogoQwiet Logo

Checking analysis of application java-sec-code-test against 1 build rules.

Using sl version 0.9.3567 (eb2f81dd6d0ae77292902712c2f3aeab7f7b1708).

Checking findings on scan 10.

Results per rule:

  • report: FAIL
    (619 matched vulnerabilities; configured threshold is 0).

    First 5 findings:

        ID   CVSS    Rating    CVE              Title                                                                                                                                                     
     255   10.0   critical   CVE-2018-14721   FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
     547   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     554   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     245    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     247    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     Severity rating   Count 
     Critical             95 
     High                242 
     Medium              165 
     Low                 115 
     Finding Type     Count 
     Oss_vuln           370 
     Vuln               217 
     Security_issue      30 
     Secret               2 
     OWASP 2021 Category                              Count 
     A03-Injection                                       66 
     A09-Security-Logging-And-Monitoring-Failures        53 
     A01-Broken-Access-Control                           50 
     A05-Security-Misconfiguration                       46 
     A10-Server-Side-Request-Forgery-(Ssrf)              25 
     A08-Software-And-Data-Integrity-Failures             5 
     A07-Identification-And-Authentication-Failures       1 
     A02-Cryptographic-Failures                           1 

1 rule failed.

@github-actions
Copy link

github-actions bot commented Dec 4, 2025

Qwiet LogoQwiet Logo

Checking analysis of application java-sec-code-test against 1 build rules.

Using sl version 0.9.3567 (eb2f81dd6d0ae77292902712c2f3aeab7f7b1708).

Checking findings on scan 10.

Results per rule:

  • report: FAIL
    (619 matched vulnerabilities; configured threshold is 0).

    First 5 findings:

        ID   CVSS    Rating    CVE              Title                                                                                                                                                     
     255   10.0   critical   CVE-2018-14721   FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
     547   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     554   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     245    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     247    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     Severity rating   Count 
     Critical             95 
     High                242 
     Medium              165 
     Low                 115 
     Finding Type     Count 
     Oss_vuln           370 
     Vuln               217 
     Security_issue      30 
     Secret               2 
     OWASP 2021 Category                              Count 
     A03-Injection                                       66 
     A09-Security-Logging-And-Monitoring-Failures        53 
     A01-Broken-Access-Control                           50 
     A05-Security-Misconfiguration                       46 
     A10-Server-Side-Request-Forgery-(Ssrf)              25 
     A08-Software-And-Data-Integrity-Failures             5 
     A07-Identification-And-Authentication-Failures       1 
     A02-Cryptographic-Failures                           1 

1 rule failed.

@github-actions
Copy link

github-actions bot commented Dec 4, 2025

Qwiet LogoQwiet Logo

Checking analysis of application java-sec-code-test against 1 build rules.

Using sl version 0.9.3567 (eb2f81dd6d0ae77292902712c2f3aeab7f7b1708).

Checking findings on scan 10.

Results per rule:

  • report: FAIL
    (619 matched vulnerabilities; configured threshold is 0).

    First 5 findings:

        ID   CVSS    Rating    CVE              Title                                                                                                                                                     
     255   10.0   critical   CVE-2018-14721   FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
     547   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     554   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     245    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     247    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     Severity rating   Count 
     Critical             95 
     High                242 
     Medium              165 
     Low                 115 
     Finding Type     Count 
     Oss_vuln           370 
     Vuln               217 
     Security_issue      30 
     Secret               2 
     OWASP 2021 Category                              Count 
     A03-Injection                                       66 
     A09-Security-Logging-And-Monitoring-Failures        53 
     A01-Broken-Access-Control                           50 
     A05-Security-Misconfiguration                       46 
     A10-Server-Side-Request-Forgery-(Ssrf)              25 
     A08-Software-And-Data-Integrity-Failures             5 
     A07-Identification-And-Authentication-Failures       1 
     A02-Cryptographic-Failures                           1 

1 rule failed.

@github-actions
Copy link

github-actions bot commented Dec 4, 2025

Qwiet LogoQwiet Logo

Checking analysis of application java-sec-code-test against 1 build rules.

Using sl version 0.9.3567 (eb2f81dd6d0ae77292902712c2f3aeab7f7b1708).

Checking findings on scan 10.

Results per rule:

  • report: FAIL
    (619 matched vulnerabilities; configured threshold is 0).

    First 5 findings:

        ID   CVSS    Rating    CVE              Title                                                                                                                                                     
     255   10.0   critical   CVE-2018-14721   FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
     547   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     554   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     245    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     247    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     Severity rating   Count 
     Critical             95 
     High                242 
     Medium              165 
     Low                 115 
     Finding Type     Count 
     Oss_vuln           370 
     Vuln               217 
     Security_issue      30 
     Secret               2 
     OWASP 2021 Category                              Count 
     A03-Injection                                       66 
     A09-Security-Logging-And-Monitoring-Failures        53 
     A01-Broken-Access-Control                           50 
     A05-Security-Misconfiguration                       46 
     A10-Server-Side-Request-Forgery-(Ssrf)              25 
     A08-Software-And-Data-Integrity-Failures             5 
     A07-Identification-And-Authentication-Failures       1 
     A02-Cryptographic-Failures                           1 

1 rule failed.

@github-actions
Copy link

github-actions bot commented Dec 4, 2025

Qwiet LogoQwiet Logo

Checking analysis of application java-sec-code-test against 1 build rules.

Using sl version 0.9.3567 (eb2f81dd6d0ae77292902712c2f3aeab7f7b1708).

Checking findings on scan 10.

Results per rule:

  • report: FAIL
    (619 matched vulnerabilities; configured threshold is 0).

    First 5 findings:

        ID   CVSS    Rating    CVE              Title                                                                                                                                                     
     255   10.0   critical   CVE-2018-14721   FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
     547   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     554   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     245    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     247    9.8   critical   CVE-2017-5929    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…
     Severity rating   Count 
     Critical             95 
     High                242 
     Medium              165 
     Low                 115 
     Finding Type     Count 
     Oss_vuln           370 
     Vuln               217 
     Security_issue      30 
     Secret               2 
     OWASP 2021 Category                              Count 
     A03-Injection                                       66 
     A09-Security-Logging-And-Monitoring-Failures        53 
     A01-Broken-Access-Control                           50 
     A05-Security-Misconfiguration                       46 
     A10-Server-Side-Request-Forgery-(Ssrf)              25 
     A08-Software-And-Data-Integrity-Failures             5 
     A07-Identification-And-Authentication-Failures       1 
     A02-Cryptographic-Failures                           1 

1 rule failed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nishfath