New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Java] CWE-555: Query to detect password in Java EE configuration files #214
Comments
|
Your submission is now in status SecLab review. For information, the evaluation workflow is the following: |
|
Your submission is now in status CodeQL review. For information, the evaluation workflow is the following: |
|
Your submission is now in status SecLab finalize. For information, the evaluation workflow is the following: |
|
Your submission is now in status Pay. For information, the evaluation workflow is the following: |
|
Created Hackerone report 1072078 for bounty 269411 : [214] [Java] CWE-555: Query to detect password in Java EE configuration files |
|
Your submission is now in status Closed. For information, the evaluation workflow is the following: |
|
Thanks @xcorail for the quick turn-around and the bounty. |
luchua-bc commentedDec 12, 2020
CVE ID(s)
List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
Report
Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector. And this is a common issue with many GitHub repositories.
The query detects cleartext passwords stored in XML configuration files.
Relevant PR: #4814
Result(s)
Provide at least one useful result found by your query, on some revision of a real project.
The text was updated successfully, but these errors were encountered: