Vulnerability fix (powered by Mobb Autofixer)

[eitanMobb]

This change fixes a high severity (🚩) SQL Injection issue reported by Checkmarx.

Issue description

SQL Injection allows attackers to execute malicious SQL queries by manipulating input data. This can result in unauthorized access to sensitive data, data manipulation, or even complete database compromise.

Fix instructions

Use parameterized queries or prepared statements to sanitize user input and prevent manipulation of the SQL query.

More info and fix customization are available in the Mobb platform

[eitanMobb]

Checkmarx One – Scan Summary & Details – 2630a275-dfa2-4b92-b0ec-4a7c1bf10ebc

New Issues (143)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2013-7285	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: Xstream API versions up to 1.4.6, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands b... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-21342	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processe... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-21344	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-21345	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-21346	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-21347	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-21350	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-21351	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2022-1471	Maven-org.yaml:snakeyaml-1.33	details Recommended version: 2.0 Description: SnakeYaml's "Constructor()" class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2024-31573	Maven-org.xmlunit:xmlunit-core-2.9.1	details Recommended version: 2.10.0 Description: XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets. This issue affects the package org.xmlunit:xmlunit-core versions prior to ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2024-38821	Maven-org.springframework.security:spring-security-web-6.1.5	details Recommended version: 6.2.8 Description: Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2016-3674	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) Sta... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2017-7957	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' duri... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2020-26217	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2020-26258	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-21341	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a re... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-21343	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processe... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-21348	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-21349	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-29505	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote at... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-39139	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2021-39141	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-39144	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has suf... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-39145	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-39146	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-39147	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-39148	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-39149	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-39150	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions, this vulnerability may allow a remote attacker to req... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-39151	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library that serializes objects to XML and back again. In versions prior to 1.4.18, this vulnerability may allow a remote attac... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-39152	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to requ... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-39153	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-39154	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2021-43859	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2022-40151	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: Those using Xstream to serialize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2022-41966	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a sta... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2023-1973	Maven-io.undertow:undertow-core-2.3.10.Final	details Recommended version: 2.3.17.Final Description: A flaw was found in Undertow package. Using the "FormAuthenticationMechanism", a malicious user could trigger a Denial of Service by sending crafte... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2023-1973	Maven-io.undertow:undertow-servlet-2.3.10.Final	details Recommended version: 2.3.16.Final Description: A flaw was found in Undertow package. Using the "FormAuthenticationMechanism", a malicious user could trigger a Denial of Service by sending crafte... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2023-24998	Maven-commons-fileupload:commons-fileupload-1.4	details Recommended version: 1.5 Description: Apache Commons FileUpload prior to 1.5 does not limit the number of request parts to be processed, resulting in the possibility of an attacker trig... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2023-34053	Maven-org.springframework:spring-web-6.0.13	details Recommended version: 6.1.14 Description: In Spring Framework versions 6.0.0-M6 through 6.0.13, and 6.1.0-M1 through 6.1.0-RC2, a user can provide specially crafted HTTP requests that may c... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package

More results are available on the CxOne platform

Fixed Issues (11)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	SQL_Injection	/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java: 50
	SQL_Injection	/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java: 44
	SQL_Injection	/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java: 44
	Use_of_a_One_Way_Hash_with_a_Predictable_Salt	/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java: 57
	Heap_Inspection	/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java: 44
	Heap_Inspection	/src/main/java/org/owasp/webgoat/lessons/xxe/User.java: 31
	Heap_Inspection	/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java: 43
	Heap_Inspection	/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java: 26
	Use_Of_Hardcoded_Password_In_Config	/src/main/resources/i18n/messages.properties: 34
	Use_Of_Hardcoded_Password_In_Config	/src/main/resources/lessons/securepasswords/i18n/WebGoatLabels.properties: 4
	Use_Of_Hardcoded_Password_In_Config	/src/main/resources/i18n/messages.properties: 43