Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CP 7.0 - Bug #12596 & Bug #12731 #1789

Merged
merged 2 commits into from
Apr 23, 2024
Merged

CP 7.0 - Bug #12596 & Bug #12731 #1789

merged 2 commits into from
Apr 23, 2024

Conversation

ebernard
Copy link
Contributor

No description provided.

@ebernard ebernard changed the base branch from develop to master_7.0.x April 22, 2024 13:02
@ebernard ebernard changed the title Cherry-pick 12596 and 1773 on 7.0 Cherry-pick 12596 and 12731 on 7.0 Apr 22, 2024
@GiooDev GiooDev added this to the IT 134 milestone Apr 22, 2024
@GiooDev GiooDev changed the title Cherry-pick 12596 and 12731 on 7.0 CP 7.0 - Bug #12596 & Bug #12731 Apr 22, 2024
@GiooDev GiooDev added the Cherry-Pick a cherry pick label Apr 22, 2024
@vitam-devops
Copy link
Collaborator

Logo
Checkmarx One – Scan Summary & Details3e238eed-348a-45ae-8344-1229b021128a

New Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH CVE-2017-18640 Maven-org.yaml:snakeyaml-1.19 Vulnerable Package
HIGH CVE-2019-15599 Npm-tree-kill-1.2.1 Vulnerable Package
HIGH CVE-2020-28491 Maven-com.fasterxml.jackson.dataformat:jackson-dataformat-cbor-2.6.7 Vulnerable Package
HIGH CVE-2020-28502 Npm-xmlhttprequest-ssl-1.5.5 Vulnerable Package
HIGH CVE-2020-36048 Npm-engine.io-3.2.1 Vulnerable Package
HIGH CVE-2020-36049 Npm-socket.io-parser-3.2.0 Vulnerable Package
HIGH CVE-2020-7660 Npm-serialize-javascript-1.9.1 Vulnerable Package
HIGH CVE-2020-7788 Npm-ini-1.3.5 Vulnerable Package
HIGH CVE-2021-31597 Npm-xmlhttprequest-ssl-1.5.5 Vulnerable Package
HIGH CVE-2021-33813 Maven-org.jdom:jdom2-2.0.6 Vulnerable Package
HIGH CVE-2021-37136 Maven-io.netty:netty-codec-4.1.65.Final Vulnerable Package
HIGH CVE-2021-37137 Maven-io.netty:netty-codec-4.1.65.Final Vulnerable Package
HIGH CVE-2021-43466 Maven-org.thymeleaf:thymeleaf-spring5-3.0.12.RELEASE Vulnerable Package
HIGH CVE-2022-0265 Maven-com.hazelcast:hazelcast-4.2.2 Vulnerable Package
HIGH CVE-2022-2421 Npm-socket.io-parser-3.2.0 Vulnerable Package
HIGH CVE-2022-25857 Maven-org.yaml:snakeyaml-1.29 Vulnerable Package
HIGH CVE-2022-25857 Maven-org.yaml:snakeyaml-1.19 Vulnerable Package
HIGH CVE-2022-25857 Maven-org.yaml:snakeyaml-1.28 Vulnerable Package
HIGH CVE-2022-28366 Maven-net.sourceforge.htmlunit:neko-htmlunit-2.24 Vulnerable Package
HIGH CVE-2022-36437 Maven-com.hazelcast:hazelcast-4.2.2 Vulnerable Package
HIGH CVE-2022-42252 Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.63 Vulnerable Package
HIGH CVE-2022-45143 Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.63 Vulnerable Package
HIGH CVE-2023-24998 Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.63 Vulnerable Package
HIGH Client_DOM_XSS /cas/cas-server/src/main/resources/static/js/duo/Duo-Web-v2.min.js: 136 Attack Vector
HIGH Cxb3498186-093f Maven-org.freemarker:freemarker-2.3.29 Vulnerable Package
HIGH Cxb3498186-093f Maven-org.freemarker:freemarker-2.3.20 Vulnerable Package
HIGH Passwords And Secrets - Generic Password /vitamui_vars.yml: 298 Query to find passwords and secrets in infrastructure code.
HIGH Reflected_XSS_All_Clients /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118 Attack Vector
MEDIUM Absolute_Path_Traversal /ui/ui-pastis/src/main/java/fr/gouv/vitamui/pastis/rest/ProfileController.java: 245 Attack Vector
MEDIUM Absolute_Path_Traversal /ui/ui-referential/src/main/java/fr/gouv/vitamui/referential/rest/RuleController.java: 219 Attack Vector
MEDIUM Absolute_Path_Traversal /ui/ui-commons/src/main/java/fr/gouv/vitamui/ui/commons/rest/RuleController.java: 211 Attack Vector
MEDIUM Absolute_Path_Traversal /ui/ui-pastis/src/main/java/fr/gouv/vitamui/pastis/rest/ArchivalProfileUnitController.java: 211 Attack Vector
MEDIUM Absolute_Path_Traversal /ui/ui-pastis/src/main/java/fr/gouv/vitamui/pastis/rest/PastisController.java: 99 Attack Vector
MEDIUM CVE-2019-16769 Npm-serialize-javascript-1.9.1 Vulnerable Package
MEDIUM CVE-2020-15366 Npm-ajv-6.10.0 Vulnerable Package
MEDIUM CVE-2020-15366 Npm-ajv-5.5.2 Vulnerable Package
MEDIUM CVE-2020-28481 Npm-socket.io-2.1.1 Vulnerable Package
MEDIUM CVE-2020-7693 Npm-sockjs-0.3.19 Vulnerable Package
MEDIUM CVE-2021-23364 Npm-browserslist-4.5.5 Vulnerable Package
MEDIUM CVE-2022-21704 Npm-log4js-4.5.1 Vulnerable Package
MEDIUM CVE-2022-24823 Maven-io.netty:netty-common-4.1.65.Final Vulnerable Package
MEDIUM CVE-2022-38749 Maven-org.yaml:snakeyaml-1.28 Vulnerable Package
MEDIUM CVE-2022-38749 Maven-org.yaml:snakeyaml-1.29 Vulnerable Package
MEDIUM CVE-2022-38749 Maven-org.yaml:snakeyaml-1.19 Vulnerable Package
MEDIUM CVE-2022-38750 Maven-org.yaml:snakeyaml-1.19 Vulnerable Package
MEDIUM CVE-2022-38750 Maven-org.yaml:snakeyaml-1.28 Vulnerable Package
MEDIUM CVE-2022-38750 Maven-org.yaml:snakeyaml-1.29 Vulnerable Package
MEDIUM CVE-2022-38751 Maven-org.yaml:snakeyaml-1.19 Vulnerable Package
MEDIUM CVE-2022-38751 Maven-org.yaml:snakeyaml-1.28 Vulnerable Package
MEDIUM CVE-2022-38751 Maven-org.yaml:snakeyaml-1.29 Vulnerable Package
MEDIUM CVE-2022-38752 Maven-org.yaml:snakeyaml-1.19 Vulnerable Package
MEDIUM CVE-2022-38752 Maven-org.yaml:snakeyaml-1.29 Vulnerable Package
MEDIUM CVE-2022-38752 Maven-org.yaml:snakeyaml-1.28 Vulnerable Package
MEDIUM CVE-2022-41854 Maven-org.yaml:snakeyaml-1.29 Vulnerable Package
MEDIUM CVE-2022-41854 Maven-org.yaml:snakeyaml-1.19 Vulnerable Package
MEDIUM CVE-2022-41854 Maven-org.yaml:snakeyaml-1.28 Vulnerable Package
MEDIUM CVE-2022-41940 Npm-engine.io-3.2.1 Vulnerable Package
MEDIUM CVE-2023-28708 Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.63 Vulnerable Package
MEDIUM CVE-2024-25710 Maven-org.apache.commons:commons-compress-1.21 Vulnerable Package
MEDIUM CVE-2024-26308 Maven-org.apache.commons:commons-compress-1.21 Vulnerable Package
MEDIUM Cleartext_Submission_of_Sensitive_Information /api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 153 Attack Vector
MEDIUM Cleartext_Submission_of_Sensitive_Information /api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 169 Attack Vector
MEDIUM Cleartext_Submission_of_Sensitive_Information /api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 166 Attack Vector
MEDIUM Cleartext_Submission_of_Sensitive_Information /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/user/service/UserEmailInternalService.java: 99 Attack Vector
MEDIUM Cleartext_Submission_of_Sensitive_Information /api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 79 Attack Vector
MEDIUM Client_Privacy_Violation /cas/cas-server/src/main/resources/static/js/passwordMeter.js: 23 Attack Vector
MEDIUM Container Traffic Not Bound To Host Interface /mongo_cluster.yml: 37 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /mongo_cluster.yml: 58 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /mongo_cluster.yml: 15 Incoming container traffic should be bound to a specific host interface
MEDIUM Healthcheck Not Set /mongo_cluster.yml: 26 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /mongo_cluster.yml: 47 Check containers periodically to see if they are running properly.
MEDIUM Memory Not Limited /mongo_cluster.yml: 26 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /mongo_cluster.yml: 47 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Privacy_Violation /ui/ui-identity/src/main/java/fr/gouv/vitamui/identity/service/ProviderService.java: 214 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 111 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 110 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 183 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 183 Attack Vector
MEDIUM Privacy_Violation /ui/ui-identity/src/main/java/fr/gouv/vitamui/identity/service/ProviderService.java: 214 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 111 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderBuilder.java: 110 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/idp/converter/IdentityProviderConverter.java: 155 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 185 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 135 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 183 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 100 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/idp/converter/IdentityProviderConverter.java: 155 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 135 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 183 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 100 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 110 Attack Vector
MEDIUM Privacy_Violation /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118 Attack Vector
MEDIUM SSL_Verification_Bypass /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/filter/ExternalRequestHeadersAuthenticationFilter.java: 88 Attack Vector
MEDIUM SSL_Verification_Bypass /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/filter/ExternalRequestHeadersAuthenticationFilter.java: 85 Attack Vector
MEDIUM SSRF /api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/IngestContractExternalController.java: 107 Attack Vector
MEDIUM SSRF /api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/ContextExternalController.java: 106 Attack Vector
MEDIUM SSRF /ui/ui-commons/src/main/java/fr/gouv/vitamui/ui/commons/rest/RuleController.java: 181 Attack Vector
MEDIUM SSRF /api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/UserInfoExternalController.java: 167 Attack Vector
MEDIUM SSRF /ui/ui-referential/src/main/java/fr/gouv/vitamui/referential/rest/ManagementContractController.java: 161 Attack Vector
MEDIUM SSRF /api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/IngestContractExternalController.java: 140 Attack Vector
MEDIUM SSRF /api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/ContextExternalController.java: 138 Attack Vector
MEDIUM SSRF /api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/FileFormatExternalController.java: 135 Attack Vector
MEDIUM SSRF /ui/ui-identity/src/main/java/fr/gouv/vitamui/identity/rest/ProviderController.java: 152 Attack Vector
MEDIUM SSRF /api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/IngestContractExternalController.java: 124 Attack Vector
MEDIUM SSRF /api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/ContextExternalController.java: 123 Attack Vector
MEDIUM SSRF /api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/IngestContractExternalController.java: 115 Attack Vector
MEDIUM SSRF /api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/ContextExternalController.java: 113 Attack Vector
MEDIUM SSRF /api/api-referential/referential-external/src/main/java/fr/gouv/vitamui/referential/external/server/rest/LogbookManagementOperationExternalController.java: 81 Attack Vector
MEDIUM SSRF /ui/ui-referential/src/main/java/fr/gouv/vitamui/referential/rest/LogbookManagementOperationController.java: 103 Attack Vector
MEDIUM SSRF /api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 156 Attack Vector
MEDIUM SSRF

More results are available on AST platform

@ebernard ebernard merged commit 14c0bef into master_7.0.x Apr 23, 2024
2 checks passed
@ebernard ebernard deleted the CP_7_12596_1773_static_and_dynamic_attachement branch April 23, 2024 14:48
@ebernard ebernard mentioned this pull request Apr 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Regzox Regzox Regzox approved these changes

@marob marob marob approved these changes

Assignees
No one assigned
Labels
Cherry-Pick a cherry pick
Projects
None yet
Milestone
IT 134
Development

Successfully merging this pull request may close these issues.
6 participants
@ebernard @vitam-devops @marob @Regzox @GiooDev @laedanrex