Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Medium Vulnerabilities found by Veracode in 12.1p_2022-10-22

    Could you please help us guide how to resolve below vulnerabilites.
    CWE-ID & Name Module Source
    73 (External Control of File Name or Path) isomorphic-core-rpc-12.1-p20221022.jar com/isomorphic/util/AtomicFileWriter.java: 48
    918 (Server-Side Request Forgery (SSRF)) isomorphic-core-rpc-12.1-p20221022.jar com/isomorphic/util/ISCHttpClient.java: 105
    93 (Improper Neutralization of CRLF Sequences ('CRLF Injection')) isomorphic-core-rpc-12.1-p20221022.jar com/isomorphic/mail/MailMessage.java: 516
    501 (Trust Boundary Violation) isomorphic-core-rpc-12.1-p20221022.jar com/isomorphic/velocity/SessionAttributeMapFacade.java: 120
    117 (Improper Output Neutralization for Logs) isomorphic-core-rpc-12.1-p20221022.jar com/isomorphic/log/Slf4jLogger.java: 104
    113 (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')) isomorphic-core-rpc-12.1-p20221022.jar com/isomorphic/servlet/ServletTools.java: 663
    80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) isomorphic-core-rpc-12.1-p20221022.jar com/isomorphic/servlet/ScreenLoaderServlet.java: 180
    Last edited by svancha; 3 Nov 2022, 08:21. Reason: Could you please help us guide how to resolve them.

    #2
    Could you please help us guide how to resolve them.

    Comment


      #3
      There is nothing to resolve here.

      You are running a security scanner product, and such tools produce bogus "vulnerabilities" all the time. Here, it is flagging various code that is doing exactly what it is meant to do, because it is only accessible in a certain, safe way, and/or used for a limited purpose.

      If you discover any actual vulnerabilities, please do report them, explaining specifically how they can be exploited in a correct installation that follows our documentation. This has only happened once in our 20+ year history, and it was a minor exploit and immediately resolved, but of course we take this very seriously.

      Comment

      Working...
      X