Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Java] CWE-555: Query to detect password in Java EE configuration files #214

Closed
1 task done
luchua-bc opened this issue Dec 12, 2020 · 7 comments
Closed
1 task done
Labels
All For One Submissions to the All for One, One for All bounty

Comments

@luchua-bc
Copy link

luchua-bc commented Dec 12, 2020

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.

Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector. And this is a common issue with many GitHub repositories.

The query detects cleartext passwords stored in XML configuration files.

Relevant PR: #4814

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.

@luchua-bc luchua-bc added the All For One Submissions to the All for One, One for All bounty label Dec 12, 2020
@ghsecuritylab
Copy link
Collaborator

ghsecuritylab commented Dec 17, 2020

Your submission is now in status SecLab review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

ghsecuritylab commented Dec 23, 2020

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

ghsecuritylab commented Jan 5, 2021

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

ghsecuritylab commented Jan 5, 2021

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@xcorail
Copy link
Contributor

xcorail commented Jan 5, 2021

Created Hackerone report 1072078 for bounty 269411 : [214] [Java] CWE-555: Query to detect password in Java EE configuration files

@xcorail xcorail closed this as completed Jan 5, 2021
@ghsecuritylab
Copy link
Collaborator

ghsecuritylab commented Jan 5, 2021

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@luchua-bc
Copy link
Author

luchua-bc commented Jan 5, 2021

Thanks @xcorail for the quick turn-around and the bounty.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
All For One Submissions to the All for One, One for All bounty
Projects
None yet
Development

No branches or pull requests

3 participants