SQL Injection vulnerability fix (powered by Mobb) by eitanMobb · Pull Request #29 · eitanMobb/WebGoat

eitanMobb · 2024-11-07T23:27:53Z

This change fixes a high severity (🚩) SQL Injection issue reported by Checkmarx.

Issue description

SQL Injection allows attackers to execute malicious SQL queries by manipulating input data. This can result in unauthorized access to sensitive data, data manipulation, or even complete database compromise.

Fix instructions

Use parameterized queries or prepared statements to sanitize user input and prevent manipulation of the SQL query.

More info and fix customization are available in the Mobb platform

eitanMobb · 2024-11-07T23:30:18Z

Checkmarx One – Scan Summary & Details – d0c4cf09-25dc-4ed4-bd8c-432cf31eb7d0

New Issues

Issue	Source File / Package	Checkmarx Insight
CVE-2013-7285	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21342	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21344	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21345	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21346	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21347	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21350	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21351	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2022-1471	Maven-org.yaml:snakeyaml-1.33	Vulnerable Package
CVE-2024-31573	Maven-org.xmlunit:xmlunit-core-2.9.1	Vulnerable Package
CVE-2024-38821	Maven-org.springframework.security:spring-security-web-6.1.5	Vulnerable Package
CVE-2016-10707	Npm-jquery-1.10.2	Vulnerable Package
CVE-2016-10707	Npm-jquery-2.1.4	Vulnerable Package
CVE-2016-3674	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2017-7957	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2020-26217	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2020-26258	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21341	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21343	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21348	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-21349	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-29505	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39139	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39141	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39144	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39145	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39146	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39147	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39148	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39149	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39150	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39151	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39152	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39153	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39154	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-43859	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2022-40151	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2022-40152	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2022-41966	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2023-1973	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2023-1973	Maven-io.undertow:undertow-servlet-2.3.10.Final	Vulnerable Package
CVE-2023-24998	Maven-commons-fileupload:commons-fileupload-1.4	Vulnerable Package
CVE-2023-34053	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2023-38286	Maven-org.thymeleaf:thymeleaf-3.1.1.RELEASE	Vulnerable Package
CVE-2023-51775	Maven-org.bitbucket.b_c:jose4j-0.9.3	Vulnerable Package
CVE-2023-52428	Maven-com.nimbusds:nimbus-jose-jwt-9.24.4	Vulnerable Package
CVE-2023-5379	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2023-5685	Maven-org.jboss.xnio:xnio-api-3.8.8.Final	Vulnerable Package
CVE-2023-6378	Maven-ch.qos.logback:logback-classic-1.4.11	Vulnerable Package
CVE-2023-6378	Maven-ch.qos.logback:logback-core-1.4.11	Vulnerable Package
CVE-2023-6481	Maven-ch.qos.logback:logback-core-1.4.11	Vulnerable Package
CVE-2024-1635	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2024-22201	Maven-org.eclipse.jetty.http2:http2-common-11.0.17	Vulnerable Package
CVE-2024-22234	Maven-org.springframework.security:spring-security-core-6.1.5	Vulnerable Package
CVE-2024-22234	Maven-org.springframework.security:spring-security-web-6.1.5	Vulnerable Package
CVE-2024-22234	Maven-org.springframework.security:spring-security-oauth2-client-6.1.5	Vulnerable Package
CVE-2024-22243	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2024-22257	Maven-org.springframework.security:spring-security-core-6.1.5	Vulnerable Package
CVE-2024-22259	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2024-22262	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2024-38809	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2024-38816	Maven-org.springframework:spring-webmvc-6.0.13	Vulnerable Package
CVE-2024-5971	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2024-6162	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2024-7885	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
Missing User Instruction	/Dockerfile_desktop: 1	A user should be specified in the dockerfile, otherwise the image will run as root
Apt Get Install Pin Version Not Defined	/Dockerfile_desktop: 12	When installing a package, its pin version should be defined
Apt Get Install Pin Version Not Defined	/Dockerfile_desktop: 12	When installing a package, its pin version should be defined
CVE-2015-9251	Npm-jquery-1.10.2	Vulnerable Package
CVE-2015-9251	Npm-jquery-2.1.4	Vulnerable Package
CVE-2016-7103	Npm-jquery-ui-1.10.4	Vulnerable Package
CVE-2019-11358	Npm-jquery-1.10.2	Vulnerable Package
CVE-2019-11358	Npm-jquery-2.1.4	Vulnerable Package
CVE-2020-11022	Npm-jquery-1.10.2	Vulnerable Package
CVE-2020-11022	Npm-jquery-2.1.4	Vulnerable Package
CVE-2020-11022	Npm-jquery-3.4.1	Vulnerable Package
CVE-2020-11023	Npm-jquery-1.10.2	Vulnerable Package
CVE-2020-11023	Npm-jquery-2.1.4	Vulnerable Package
CVE-2020-11023	Npm-jquery-3.4.1	Vulnerable Package
CVE-2020-26259	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-39140	Maven-com.thoughtworks.xstream:xstream-1.4.5	Vulnerable Package
CVE-2021-41182	Npm-jquery-ui-1.10.4	Vulnerable Package
CVE-2021-41183	Npm-jquery-ui-1.10.4	Vulnerable Package
CVE-2021-41184	Npm-jquery-ui-1.10.4	Vulnerable Package
CVE-2022-31160	Npm-jquery-ui-1.10.4	Vulnerable Package
CVE-2023-34055	Maven-org.springframework.boot:spring-boot-actuator-3.1.5	Vulnerable Package
CVE-2023-41329	Maven-com.github.tomakehurst:wiremock-3.0.0-beta-2	Vulnerable Package
CVE-2023-51074	Maven-com.jayway.jsonpath:json-path-2.8.0	Vulnerable Package
CVE-2024-1459	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2024-3653	Maven-io.undertow:undertow-core-2.3.10.Final	Vulnerable Package
CVE-2024-3653	Maven-io.undertow:undertow-servlet-2.3.10.Final	Vulnerable Package
CVE-2024-38820	Maven-org.springframework:spring-webmvc-6.0.13	Vulnerable Package
CVE-2024-38820	Maven-org.springframework:spring-core-6.0.13	Vulnerable Package
CVE-2024-38820	Maven-org.springframework:spring-web-6.0.13	Vulnerable Package
CVE-2024-38820	Maven-org.springframework:spring-context-6.0.13	Vulnerable Package
CVE-2024-6531	Maven-org.webjars:bootstrap-5.3.2	Vulnerable Package
CVE-2024-8184	Maven-org.eclipse.jetty:jetty-server-11.0.17	Vulnerable Package
CVE-2024-9823	Maven-org.eclipse.jetty:jetty-servlets-11.0.17	Vulnerable Package
Cxf0b588a3-5c6f	Npm-jquery-2.1.4	Vulnerable Package
Cxf0b588a3-5c6f	Npm-jquery-1.10.2	Vulnerable Package
Parameter_Tampering	/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java: 54	Attack Vector
Parameter_Tampering	/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java: 54	Attack Vector
Parameter_Tampering	/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java: 60	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java: 89	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java: 76	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java: 62	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java: 62	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java: 54	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/test/java/org/owasp/webgoat/lessons/missingac/DisplayUserTest.java: 42	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/test/java/org/owasp/webgoat/lessons/missingac/DisplayUserTest.java: 35	Attack Vector
Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdminTest.java: 26	Attack Vector
CVE-2024-6762	Maven-org.eclipse.jetty:jetty-servlets-11.0.17	Vulnerable Package
CVE-2024-6763	Maven-org.eclipse.jetty:jetty-server-11.0.17	Vulnerable Package
CVE-2024-6763	Maven-org.eclipse.jetty:jetty-http-11.0.17	Vulnerable Package
Chown Flag Exists	/Dockerfile: 12	It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only e...
Healthcheck Instruction Missing	/Dockerfile: 1	Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
Healthcheck Instruction Missing	/Dockerfile_desktop: 1	Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
Heap_Inspection	/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java: 38	Attack Vector
Heap_Inspection	/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java: 27	Attack Vector
Unpinned Actions Full Length Commit SHA	/test.yml: 56	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 82	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 137	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 145	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/pre-commit.yaml: 26	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/pre-commit.yaml: 28	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/test.yml: 64	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 85	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/test.yml: 45	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 104	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 43	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 77	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/release.yml: 91	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...

Fixed Issues

Severity	Issue	Source File / Package
	SQL_Injection	/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java: 59
	SQL_Injection	/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java: 59
	SQL_Injection	/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java: 59
	SQL_Injection	/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java: 59
	SQL_Injection	/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java: 59
	SQL_Injection	/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java: 59
	SQL_Injection	/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java: 60
	SQL_Injection	/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java: 59
	SQL_Injection	/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java: 59
	SQL_Injection	/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java: 60
	SQL_Injection	/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java: 44
	SQL_Injection	/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java: 44
	Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java: 57
	Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java: 57
	Use_of_a_One_Way_Hash_with_a_Predictable_Salt

More results are available on AST platform

mobb fix commit: b27d032a-97d1-4371-9aae-1325941d9d49

3995082

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

SQL Injection vulnerability fix (powered by Mobb)#29

SQL Injection vulnerability fix (powered by Mobb)#29
eitanMobb wants to merge 1 commit intomainfrom
Mobb-fix-e30a94aa5b

eitanMobb commented Nov 7, 2024

Uh oh!

eitanMobb commented Nov 7, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Comments

Conversation

eitanMobb commented Nov 7, 2024

Issue description

Fix instructions

Uh oh!

eitanMobb commented Nov 7, 2024

New Issues

Fixed Issues

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant