Stack Overflow
Stack Overflow

Questions tagged [crlf-vulnerability]

40 questions
1
vote
0 answers

How to address Cross-Site Scripting (XSS) Vulnerability in Jenkins

I'm using standalone latest Jenkins war on my Linux server running on port 9043. The security-audit team reported "Cross-Site Scripting (XSS)" vulnerability for the below Jenkins URL. https://myjenkinshost:9043/label/64_Salve/api/python "64_Salve"…
Ashar
  • 2,942
  • 10
  • 58
  • 122
1
vote
1 answer

How to find where a library is being used in my project to fix a Veracode security vulnerability

Currently my application is failing Veracode Scan because of one third party component: "netty-handler.4.1.48.FINAL.jar", which has no safe versions available at the moment. I have reviewed the Veracode Report but i cannot find any specific info…
monkey123
  • 183
  • 1
  • 3
  • 11
1
vote
0 answers

How to solve this 'SendMail Mail Relay Vulnerability'

I have used openvas to scan vulnerabilities in my server. I got this SendMail Mail Relay Vulnerability. But don't know how to resolve this. Could you please give an hint to resolve this.
Vasu
  • 35
  • 8
0
votes
1 answer

This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

I am getting this sonar issue(Security - Potential CRLF Injection for logs) while logging request body parameter in code. public ResponseEntity someMethod(@RequestBody User user) { log.info("user received as --> {}", user); } How to…
Vishnu Shinde
  • 21
  • 3
0
votes
1 answer

Trying to fix source code vulnerability (CWE: 113); Category: Input Validation and Representation - Header Manipulation: Cookies

I am trying to fix the vulnerability (CWE:113, details here) on my react frontend application code. Also very difficult to find from the vulnerability scan message from tool which is(says on line no 1 of *.js file): VULNERABILITY INFO Category:…
user578219
  • 597
  • 2
  • 9
  • 32
0
votes
2 answers

Cannot resolve symbol 'owasp', import error in intellij

I want to use ESAPI in my project and have added following dependency in the pom.xml pom.xml with dependency: org.owasp.encoder encoder
jdk
  • 451
  • 1
  • 6
  • 18
0
votes
1 answer

Java Vulnerability issues from external jar files

I need to fix the vulnerabilities found in my project using some scan tools. The problem I am having is, the vulnerabilities are in the external/third-party jar files, and they are already at the higher version. So, is there any approach to follow…
JavaTechWith Ashish
  • 25
  • 2
0
votes
1 answer

How to allow newline characters but still prevent CRLF attack?

I've run a security scan at my server and got some CRLF exploitation warning. So, as recommended, I've sanitized all my query parameter inputs like below. var encodedStringSafeFromCRLF = Server.UrlDecode(Request.QueryString["address"]) …
now he who must not be named.
  • 9,166
  • 26
  • 81
  • 144
0
votes
1 answer

On-prem to cloud vulnerability scanning

We have vulnerability scanning software in a shared subnet our on-prem network. We are now adding VMs hosted on the public cloud and need to perform vulnerability scanning on them. One option is to open one-way traffic from on-prem to public cloud…
Rich750
  • 17
  • 5
0
votes
0 answers

Android app rejected due Cross App Scripting Vulnerability

My app is rejected from play store saying that webview vulnerability (Cross App Scripting Vulnerability). After doing some R&D, I have added "android:exported=false" to the activites where I am using webview. But again I received the same from…
user2384424
  • 187
  • 1
  • 3
  • 13
0
votes
2 answers

Sonatype scan shows Dependency-older-than-10-years

I am new to nexus IQ issues. I am getting "Dependency-older-than-10-years" constraints while Nexus IQ by Sonatype scan for below components. Component names: antlr : antlr : 2.7.7 javax.xml : jaxp-api : 1.4.2 org.codehaus.jettison : jettison :…
Ashwinee
  • 15
  • 6
0
votes
1 answer

Found 1 low severity vulnerability in 1620 scanned packages during cretating new reactjs app

I am facing an error during creating a new Reactjs app, this error message displayed on the command line => found 1 low severity vulnerability in 1620 scanned packages
Ahtisham Ali
  • 1
0
votes
1 answer

crlf expected at end of chunk httpclient

I am trying to perse data from my server. I am using HttpClient to get my data. But sometime the data is not fetched and i am shown the error called crlf expected at the end of chunk.I have tried to Change buffer size in jmeter properties following…
Abdur Rahman Onik
  • 15
  • 2
  • 8
0
votes
3 answers

Is there a validation in ESAPI library that can make sure the CWE-93 vulnerability does not come up in veracode SAST scan?

I did SAST scan of my code on Veracode platform and I got this vulnerability in Java mail functionality which I am using to send mails from my application. The following is the vulnerability that is coming - Improper Neutralization of CRLF…
Shaan Anshu
  • 51
  • 3
  • 12
0
votes
1 answer

will validate method on InternetAddress object remove the CRLF injection issue

I scanned the project with veracode and it is giving issues for CWE ID 93(CRLF injection), This issue is occurring at the bellow line- InternetAddress[] address = {new InternetAddress(username)}; msg.setRecipients(Message.RecipientType.TO,…
Pavan Divekar
  • 449
  • 2
  • 14
1
2
3