|
1 | 1 | #The name of the vulnerability. |
2 | | -vuln.name.NettyResponseSplittingRisk=Netty Response Splitting Risk |
3 | 2 | vuln.name.PatternMatchesDOS=Pattern Matches DOS Risk |
4 | | -vuln.name.SystemEXITDOS=System EXIT DOS Risk |
5 | | -vuln.name.ReadFile=Arbitrary File Read Risk |
6 | | -vuln.name.CommonIOFileWrite=CommonIO File Write Risk |
7 | | -vuln.name.IOFilesWrite=Arbitrary File Write Risk |
8 | 3 | vuln.name.InjectionFilter=Maybe injection filter class |
9 | | -vuln.name.JDBCAttack=JDBC Attack Risk |
10 | | -vuln.name.JNDIInjection=JNDI Injection Risk |
11 | | -vuln.name.LDAPUnserialize=LDAP Unserialize Risk |
12 | 4 | vuln.name.BroadCORSAllowOrigin=Broad CORS Allow Origin Risk |
13 | 5 | vuln.name.HardCodedCredential=Hard Coded Credential Risk |
14 | | -vuln.name.OpenSAML2IgnoreComments=OpenSAML2 Ignore Comments Risk |
15 | | -vuln.name.BSHRCE=BSH RCE Risk |
16 | | -vuln.name.BurlapUnserialize=Burlap Unserialize Risk |
17 | | -vuln.name.CastorUnserialize=Castor Unserialize Risk |
18 | | -vuln.name.CompilableRCE=Compilable RCE Risk |
19 | | -vuln.name.ELRCE=EL RCE Risk |
20 | | -vuln.name.ExpressionRCE=Expression RCE Risk |
21 | | -vuln.name.FastjsonAutoType=Fastjson AutoType Risk |
22 | | -vuln.name.FastjsonUnserialize=Fastjson Unserialize Risk |
23 | | -vuln.name.GroovyRCE=Groovy RCE Risk |
24 | | -vuln.name.HessianUnserialize=Hessian Unserialize Risk |
25 | 6 | vuln.name.JacksonDatabindDefaultTyping=Jackson Databind Default Typing Risk |
26 | | -vuln.name.JEXLRCE=JEXL RCE Risk |
27 | | -vuln.name.JSchOSRCE=JSch OS RCE Risk |
28 | | -vuln.name.JsonIOUnserialize=JsonIO Unserialize Risk |
29 | | -vuln.name.JYamlUnserialize=JYaml Unserialize Risk |
30 | | -vuln.name.JythonRCE=Jython RCE Risk |
31 | | -vuln.name.KryoUnserialize=Kryo Unserialize Risk |
32 | | -vuln.name.MVELRCE=MVEL RCE Risk |
33 | | -vuln.name.NashornScriptEngineRCE=Nashorn Script Engine RCE Risk |
34 | | -vuln.name.ObjectInputStreamUnserialize=ObjectInputStream Unserialize Risk |
35 | | -vuln.name.OGNLInjectionRCE=OGNL Injection RCE Risk |
36 | | -vuln.name.RhinoRCE=Rhino RCE Risk |
37 | | -vuln.name.RuntimeRCE=Runtime RCE Risk |
38 | | -vuln.name.ScriptEngineRCE=Script Engine RCE Risk |
39 | | -vuln.name.SnakeYamlUnserialize=SnakeYaml Unserialize Risk |
40 | | -vuln.name.SPELRCE=SPEL RCE Risk |
41 | | -vuln.name.XMLDecoderUnserialize=XMLDecoder Unserialize Risk |
42 | | -vuln.name.XSLTRCE=XSLT RCE Risk |
43 | | -vuln.name.XStreamUnserialize=XStream Unserialize Risk |
44 | | -vuln.name.YamlBeansUnserialize=YamlBeans Unserialize Risk |
45 | | -vuln.name.JakartaRedirect=Jakarta Redirect Risk |
46 | | -vuln.name.JavaxRedirect=Javax Redirect Risk |
47 | | -vuln.name.Reflect=Reflection Risk |
48 | 7 | vuln.name.MybatisAnnotationSQLi=Mybatis Annotation SQLi Risk |
49 | 8 | vuln.name.MybatisXmlSQLi=Mybatis XML SQLi Risk |
50 | 9 | vuln.name.PlaceholderStringSQLi=Placeholder String SQLi Risk |
51 | 10 | vuln.name.PolyadicExpressionSQLi=Polyadic Expression SQLi Risk |
52 | 11 | vuln.name.SQLi=SQLi Risk |
53 | | -vuln.name.ApacheSSRF=Apache SSRF Risk |
54 | | -vuln.name.GoogleIOSSRF=Google IO SSRF Risk |
55 | | -vuln.name.JavaURLSSRF=Java URL SSRF Risk |
56 | | -vuln.name.JsoupSSRF=Jsoup SSRF Risk |
57 | | -vuln.name.OkhttpSSRF=Okhttp SSRF Risk |
58 | | -vuln.name.SpringSSRF=Spring SSRF Risk |
59 | | -vuln.name.URLConnectionSSRF=URL Connection SSRF Risk |
60 | | -#vuln.name.C3P0Unserialize= C3P0 Unserialize Risk |
61 | | -vuln.name.BeetlSSTI=Beetl SSTI Risk |
62 | | -vuln.name.FreemarkeraSSTI=Freemarkera SSTI Risk |
63 | | -vuln.name.JinjavaSSTI=Jinjava SSTI Risk |
64 | | -vuln.name.PebbleSSTI=Pebble SSTI Risk |
65 | | -vuln.name.ThymeleafSSTI=Thymeleaf SSTI Risk |
66 | | -vuln.name.ValidationSSTI=Validation SSTI Risk |
67 | | -vuln.name.VelocitySSTI=Velocity SSTI Risk |
68 | 12 | vuln.name.XXE=XXE Risk |
69 | 13 |
|
70 | 14 | #The massage of the vulnerability. |
71 | | -vuln.massage.NettyResponseSplittingRisk=Please check for Netty Response Splitting Risk |
72 | 15 | vuln.massage.PatternMatchesDOS=Please check for Pattern Matches DOS Risk |
73 | | -vuln.massage.SystemEXITDOS=Please check for System EXIT DOS Risk |
74 | | -vuln.massage.ReadFile=Please check for Arbitrary File Read Risk |
75 | | -vuln.massage.CommonIOFileWrite=Please check for CommonIO File Write Risk |
76 | | -vuln.massage.IOFilesWrite=Please check for Arbitrary File Write Risk |
77 | 16 | vuln.massage.SQLFilter=Maybe SQL filter class |
78 | 17 | vuln.massage.XSSFilter=Maybe XSS filter class |
79 | | -vuln.massage.JDBCAttack=Please check for JDBC Attack Risk |
80 | | -vuln.massage.JNDIInjection=Please check for JNDI Injection Risk |
81 | | -vuln.massage.LDAPUnserialize=Please check for LDAP Unserialize Risk |
82 | 18 | vuln.massage.BroadCORSAllowOrigin=Please check for Broad CORS Allow Origin Risk |
83 | 19 | vuln.massage.HardCodedCredential=Please check for Hard Coded Credential Risk |
84 | | -vuln.massage.OpenSAML2IgnoreComments=Please check for OpenSAML2 Ignore Comments Risk |
85 | | -vuln.massage.BSHRCE=Please check for BSH RCE Risk |
86 | | -vuln.massage.BurlapUnserialize=Please check for Burlap Unserialize Risk |
87 | | -vuln.massage.CastorUnserialize=Please check for Castor Unserialize Risk |
88 | | -vuln.massage.CompilableRCE=Please check for Compilable RCE Risk |
89 | | -vuln.massage.ELRCE=Please check for EL RCE Risk |
90 | | -vuln.massage.ExpressionRCE=Please check for Expression RCE Risk |
91 | | -vuln.massage.FastjsonAutoType=Please check for Fastjson AutoType Risk |
92 | | -vuln.massage.FastjsonUnserialize=Please check for Fastjson Unserialize Risk |
93 | | -vuln.massage.GroovyRCE=Please check for Groovy RCE Risk |
94 | | -vuln.massage.HessianUnserialize=Please check for Hessian Unserialize Risk |
95 | 20 | vuln.massage.JacksonDatabindDefaultTyping=Please check for Jackson Databind Default Typing Risk |
96 | | -vuln.massage.JEXLRCE=Please check for JEXL RCE Risk |
97 | | -vuln.massage.JSchOSRCE=Please check for JSch OS RCE Risk |
98 | | -vuln.massage.JsonIOUnserialize=Please check for JsonIO Unserialize Risk |
99 | | -vuln.massage.JYamlUnserialize=Please check for JYaml Unserialize Risk |
100 | | -vuln.massage.JythonRCE=Please check for Jython RCE Risk |
101 | | -vuln.massage.KryoUnserialize=Please check for Kryo Unserialize Risk |
102 | | -vuln.massage.MVELRCE=Please check for MVEL RCE Risk |
103 | | -vuln.massage.NashornScriptEngineRCE=Please check for Nashorn Script Engine RCE Risk |
104 | | -vuln.massage.ObjectInputStreamUnserialize=Please check for ObjectInputStream Unserialize Risk |
105 | | -vuln.massage.OGNLInjectionRCE=Please check for OGNL Injection RCE Risk |
106 | | -vuln.massage.RhinoRCE=Please check for Rhino RCE Risk |
107 | | -vuln.massage.RuntimeRCE=Please check for Runtime RCE Risk |
108 | | -vuln.massage.ScriptEngineRCE=Please check for Script Engine RCE Risk |
109 | | -vuln.massage.SnakeYamlUnserialize=Please check for SnakeYaml Unserialize Risk |
110 | | -vuln.massage.SPELRCE=Please check for SPEL RCE Risk |
111 | | -vuln.massage.XMLDecoderUnserialize=Please check for XMLDecoder Unserialize Risk |
112 | | -vuln.massage.XSLTRCE=Please check for XSLT RCE Risk |
113 | | -vuln.massage.XStreamUnserialize=Please check for XStream Unserialize Risk |
114 | | -vuln.massage.YamlBeansUnserialize=Please check for YamlBeans Unserialize Risk |
115 | | -vuln.massage.JakartaRedirect=Please check for Jakarta Redirect Risk |
116 | | -vuln.massage.JavaxRedirect=Please check for Javax Redirect Risk |
117 | | -vuln.massage.Reflect=Please check for Reflection Risk |
118 | 21 | vuln.massage.MybatisAnnotationSQLi=Please check for Mybatis Annotation SQLi Risk |
119 | 22 | vuln.massage.MybatisXmlSQLi=Please check for Mybatis XML SQLi Risk |
120 | 23 | vuln.massage.PlaceholderStringSQLi=Please check for Placeholder String SQLi Risk |
121 | 24 | vuln.massage.PolyadicExpressionSQLi=Please check for Polyadic Expression SQLi Risk |
122 | 25 | vuln.massage.SQLi=Please check for SQLi Risk |
123 | | -vuln.massage.ApacheSSRF=Please check for Apache SSRF Risk |
124 | | -vuln.massage.GoogleIOSSRF=Please check for Google IO SSRF Risk |
125 | | -vuln.massage.JavaURLSSRF=Please check for Java URL SSRF Risk |
126 | | -vuln.massage.JsoupSSRF=Please check for Jsoup SSRF Risk |
127 | | -vuln.massage.OkhttpSSRF=Please check for Okhttp SSRF Risk |
128 | | -vuln.massage.SpringSSRF=Please check for Spring SSRF Risk |
129 | | -vuln.massage.URLConnectionSSRF=Please check for URL Connection SSRF Risk |
130 | | -#vuln.massage.C3P0Unserialize=Please check for C3P0 Unserialize Risk |
131 | | -vuln.massage.BeetlSSTI=Please check for Beetl SSTI Risk |
132 | | -vuln.massage.FreemarkerSSTI=Please check for Freemarkera SSTI Risk |
133 | | -vuln.massage.JinjavaSSTI=Please check for Jinjava SSTI Risk |
134 | | -vuln.massage.PebbleSSTI=Please check for Pebble SSTI Risk |
135 | | -vuln.massage.ThymeleafSSTI=Please check for Thymeleaf SSTI Risk |
136 | | -vuln.massage.ValidationSSTI=Please check for Validation SSTI Risk |
137 | | -vuln.massage.VelocitySSTI=Please check for Velocity SSTI Risk |
138 | 26 | vuln.massage.XXE=Please check for XXE Risk |
139 | 27 |
|
140 | 28 | #Quick fix for the vulnerability. |
141 | | -vuln.fix.NettyResponseSplittingRisk = Turn On the validateHeaders property in the HttpServerCodec |
142 | | -vuln.fix.LDAPUnserialize = Set returnObject parameter to false in the LDAP connection |
143 | | -vuln.fix.OpenSAML2IgnoreComments = Setting the org.opensaml.xml.parse.ParserPool.ignoreComments property to true |
144 | | -vuln.fix.FastjsonAutoType = Remove the Fastjson AutoType feature |
145 | 29 | vuln.fix.JacksonDatabindDefaultTypingAnnotation = Use @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, property = "class") annotation |
146 | 30 | vuln.fix.JacksonDatabindDefaultTypingDefault = Use ObjectMapper.enableDefaultTyping() method |
147 | 31 | vuln.fix.MybatisAnnotationSQLi = Use #{xxx} instead of ${xxx} in Mybatis annotation |
|
0 commit comments