[Java] CRLF Injection #387
Comments
|
Hi @haby0 Thanks for the submission. Log Injection was already contributed by: How is your query different? If it adds new sinks, please add them to the existing query. Re: Mail header injection. I was under the impression that those APIs were fixed a time ago. Can you please provide a working PoC in the form of a simple test case where we can validate that CRLF is still an issue for those APIs? |
|
@pwntester The version of |
|
Is 1.6.2 secure against CRLF injection? |
|
Is safe |
|
Then the issue should be reported by an SCA tool (such as dependabot) since CodeQL is not checking the version used and could result in a high number of FPs. |
|
Im closing this issue as is. If relevant, please submit an improvement for the existing Log Injection query. Thanks for the contribution! |
Thank you |
|
Your submission is now in status Closed. For information, the evaluation workflow is the following: |
Query
Link to pull request with your CodeQL query:
Relevant PR: github/codeql#6173
CVE ID(s)
List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
Report
Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
If unprocessed user input is directly added to email headers or written to logs, malicious users can carry out email or
log injection attacks.
Result(s)
Provide at least one useful result found by your query, on some revision of a real project.
The text was updated successfully, but these errors were encountered: