-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDebug.jsonl
5107 lines (5107 loc) · 353 KB
/
Debug.jsonl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"source": [
"#define NAME_TYPE 1#define ID_TYPE 2\nstruct MessageBuffer{int msgType;union {char *name;int nameID;};};\n\nint main (int argc, char **argv) {\nstruct MessageBuffer buf;char *defaultMessage = \"Hello World\";\nbuf.msgType = NAME_TYPE;buf.name = defaultMessage;printf(\"Pointer of buf.name is %p\\n\", buf.name);\n/* This particular value for nameID is used to make the code architecture-independent. If coming from untrusted input, it could be any value. */\n\nbuf.nameID = (int)(defaultMessage + 1);printf(\"Pointer of buf.name is now %p\\n\", buf.name);if (buf.msgType == NAME_TYPE) {printf(\"Message: %s\\n\", buf.name);}else {printf(\"Message: Use ID %d\\n\", buf.nameID);}\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-843",
"example_id": "1",
"explanation": "The following code uses a union to support the representation of different types of messages. It formats messages differently, depending on their type.The code intends to process the message as a NAME_TYPE, and sets the default message to \"Hello World.\" However, since both buf.name and buf.nameID are part of the same union, they can act as aliases for the same memory location, depending on memory layout after compilation.As a result, modification of buf.nameID - an int - can effectively modify the pointer that is stored in buf.name - a string.Execution of the program might generate output such as:\n\nPointer of name is 10830\nPointer of name is now 10831\nMessage: ello World\n\nNotice how the pointer for buf.name was changed, even though buf.name was not explicitly modified.In this case, the first \"H\" character of the message is omitted. However, if an attacker is able to fully control the value of buf.nameID, then buf.name could contain an arbitrary pointer, leading to out-of-bounds reads or writes."
}
{
"source": [
"$value = $_GET['value'];$sum = $value + 5;echo \"value parameter is '$value'<p>\";echo \"SUM is $sum\";"
],
"source_status": [
{
"vul_flag": 1,
"language": "PHP"
}
],
"cwe_id": "CWE-843",
"example_id": "2",
"explanation": "The following PHP code accepts a value, adds 5, and prints the sum.When called with the following query string:\n\nvalue=123\n\nthe program calculates the sum and prints out:\n\nSUM is 128\n\nHowever, the attacker could supply a query string such as:\n\nvalue[]=123\n\nThe \"[]\" array syntax causes $value to be treated as an array type, which then generates a fatal error when calculating $sum:\n\nFatal error: Unsupported operand types in program.php on line 2"
}
{
"source": [
"my $UserPrivilegeArray = [\"user\", \"user\", \"admin\", \"user\"];\nmy $userID = get_current_user_ID();\nif ($UserPrivilegeArray eq \"user\") {print \"Regular user!\\n\";}else {print \"Admin!\\n\";}\nprint \"\\$UserPrivilegeArray = $UserPrivilegeArray\\n\";"
],
"source_status": [
{
"vul_flag": 1,
"language": "Perl"
}
],
"cwe_id": "CWE-843",
"example_id": "3",
"explanation": "The following Perl code is intended to look up the privileges for user ID's between 0 and 3, by performing an access of the $UserPrivilegeArray reference. It is expected that only userID 3 is an admin (since this is listed in the third element of the array).In this case, the programmer intended to use \"$UserPrivilegeArray->{$userID}\" to access the proper position in the array. But because the subscript was omitted, the \"user\" string was compared to the scalar representation of the $UserPrivilegeArray reference, which might be of the form \"ARRAY(0x229e8)\" or similar.Since the logic also \"fails open\" (CWE-636), the result of this bug is that all users are assigned administrator privileges. While this is a forced example, it demonstrates how type confusion can have security consequences, even in memory-safe languages."
}
{
"source": [
"sock=socket(AF_INET, SOCK_STREAM, 0);while (1) {newsock=accept(sock, ...);printf(\"A connection has been accepted\\n\");pid = fork();}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-770",
"example_id": "1",
"explanation": "This code allocates a socket and forks each time it receives a new connection.The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections. Alternatively, an attacker could consume all available connections, preventing others from accessing the system remotely."
}
{
"source": [
"int writeDataFromSocketToFile(char *host, int port){\n\nchar filename[FILENAME_SIZE];char buffer[BUFFER_SIZE];int socket = openSocketConnection(host, port);\nif (socket < 0) {printf(\"Unable to open socket connection\");return(FAIL);}if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) {\nif (openFileToWrite(filename) > 0) {\nwhile (getNextMessage(socket, buffer, BUFFER_SIZE) > 0){if (!(writeToFile(buffer) > 0))break;\n}\n}closeFile();\n}closeSocket(socket);\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-770",
"example_id": "2",
"explanation": "In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the data, the openFileToWrite method will validate the filename and open a file to write to on the local file system. The getNextMessage is then used within a while loop to continuously read data from the socket and output the data to the file until there is no longer any data from the socket.This example creates a situation where data can be dumped to a file on the local file system without any limits on the size of the file. This could potentially exhaust file or disk resources and/or limit other clients' ability to access the service."
}
{
"source": [
"/* process message accepts a two-dimensional character array of the form [length][body] containing the message to be processed */\nint processMessage(char **message){\nchar *body;\nint length = getMessageLength(message[0]);\nif (length > 0) {body = &message[1][0];processMessageBody(body);return(SUCCESS);}else {printf(\"Unable to process message; invalid message length\");return(FAIL);}\n}",
"unsigned int length = getMessageLength(message[0]);if ((length > 0) && (length < MAX_LENGTH)) {...}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
},
{
"vul_flag": 0,
"language": "C"
}
],
"cwe_id": "CWE-770",
"example_id": "3",
"explanation": "In the following example, the processMessage method receives a two dimensional character array containing the message to be processed. The two-dimensional character array contains the length of the message in the first character array and the message body in the second character array. The getMessageLength method retrieves the integer value of the length from the first character array. After validating that the message length is greater than zero, the body character array pointer points to the start of the second character array of the two-dimensional character array and memory is allocated for the new body character array.This example creates a situation where the length of the body character array can be very large and will consume excessive memory, exhausting system resources. This can be avoided by restricting the length of the second character array with a maximum length checkAlso, consider changing the type from 'int' to 'unsigned int', so that you are always guaranteed that the number is positive. This might not be possible if the protocol specifically requires allowing negative values, or if you cannot control the return value from getMessageLength(), but it could simplify the check to ensure the input is positive, and eliminate other errors such as signed-to-unsigned conversion errors (CWE-195) that may occur elsewhere in the code."
}
{
"source": [
"public void acceptConnections() {\n\ntry {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + \":\" + counter++);t.start();}serverSocket.close();\n\n} catch (IOException ex) {...}\n}",
"public static final int SERVER_PORT = 4444;public static final int MAX_CONNECTIONS = 10;...\npublic void acceptConnections() {\n\ntry {ServerSocket serverSocket = new ServerSocket(SERVER_PORT);int counter = 0;boolean hasConnections = true;while (hasConnections) {hasConnections = checkForMoreConnections();Socket client = serverSocket.accept();Thread t = new Thread(new ClientSocketThread(client));t.setName(client.getInetAddress().getHostName() + \":\" + counter++);ExecutorService pool = Executors.newFixedThreadPool(MAX_CONNECTIONS);pool.execute(t);}serverSocket.close();\n\n} catch (IOException ex) {...}\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
},
{
"vul_flag": 0,
"language": "Java"
}
],
"cwe_id": "CWE-770",
"example_id": "4",
"explanation": "In the following example, a server object creates a server socket and accepts client connections to the socket. For every client connection to the socket a separate thread object is generated using the ClientSocketThread class that handles request made by the client through the socket.In this example there is no limit to the number of client connections and client threads that are created. Allowing an unlimited number of client connections and threads could potentially overwhelm the system and system resources.The server should limit the number of client connections and the client threads that are created. This can be easily done by creating a thread pool object that limits the number of threads that are generated."
}
{
"source": [],
"source_status": [],
"cwe_id": "CWE-770",
"example_id": "5",
"explanation": "An unnamed web site allowed a user to purchase tickets for an event. A menu option allowed the user to purchase up to 10 tickets, but the back end did not restrict the actual number of tickets that could be purchased.Example 5 References:[REF-667] Rafal Los. \"Real-Life Example of a 'Business Logic Defect' (Screen Shots!)\". 2011. \n\t\t\t\t<http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581>."
}
{
"source": [
"bar connection() {foo = malloc(1024);return foo;}endConnection(bar foo) {free(foo);}int main() {while(1) {foo=connection();}endConnection(foo)}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-770",
"example_id": "6",
"explanation": "Here the problem is that every time a connection is made, more memory is allocated. So if one just opened up more and more connections, eventually the machine would run out of memory."
}
{
"source": [
"String sourceIP = request.getRemoteAddr();if (sourceIP != null && sourceIP.equals(APPROVED_IP)) {authenticated = true;}"
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
}
],
"cwe_id": "CWE-290",
"example_id": "1",
"explanation": "The following code authenticates users.The authentication mechanism implemented relies on an IP address for source validation. If an attacker is able to spoof the IP, they may be able to bypass the authentication mechanism."
}
{
"source": [
"sd = socket(AF_INET, SOCK_DGRAM, 0);serv.sin_family = AF_INET;serv.sin_addr.s_addr = htonl(INADDR_ANY);servr.sin_port = htons(1008);bind(sd, (struct sockaddr *) & serv, sizeof(serv));\nwhile (1) {memset(msg, 0x0, MAX_MSG);clilen = sizeof(cli);if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) {n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen);}}",
"while(true) {\nDatagramPacket rp=new DatagramPacket(rData,rData.length);outSock.receive(rp);String in = new String(p.getData(),0, rp.getLength());InetAddress clientIPAddress = rp.getAddress();int port = rp.getPort();\nif (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) {out = secret.getBytes();DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp);}\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
},
{
"vul_flag": 1,
"language": "Java"
}
],
"cwe_id": "CWE-290",
"example_id": "2",
"explanation": "Both of these examples check if a request is from a trusted address before responding to the request.The code only verifies the address as stored in the request packet. An attacker can spoof this address, thus impersonating a trusted client."
}
{
"source": [
"struct hostent *hp;struct in_addr myaddr;char* tHost = \"trustme.example.com\";myaddr.s_addr=inet_addr(ip_addr_string);\nhp = gethostbyaddr((char *) &myaddr, sizeof(struct in_addr), AF_INET);if (hp && !strncmp(hp->h_name, tHost, sizeof(tHost))) {trusted = true;} else {trusted = false;}",
"String ip = request.getRemoteAddr();InetAddress addr = InetAddress.getByName(ip);if (addr.getCanonicalHostName().endsWith(\"trustme.com\")) {trusted = true;}",
"IPAddress hostIPAddress = IPAddress.Parse(RemoteIpAddress);IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);if (hostInfo.HostName.EndsWith(\"trustme.com\")) {trusted = true;}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
},
{
"vul_flag": 1,
"language": "Java"
},
{
"vul_flag": 1,
"language": "C#"
}
],
"cwe_id": "CWE-290",
"example_id": "3",
"explanation": "The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status.IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication."
}
{
"source": [
"char last_name[20];printf (\"Enter your last name: \");scanf (\"%s\", last_name);"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-120",
"example_id": "1",
"explanation": "The following code asks the user to enter their last name and then attempts to store the value entered in the last_name array.The problem with the code above is that it does not restrict or limit the size of the name entered by the user. If the user enters \"Very_very_long_last_name\" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total."
}
{
"source": [
"void manipulate_string(char * string){char buf[24];strcpy(buf, string);...}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-120",
"example_id": "2",
"explanation": "The following code attempts to create a local copy of a buffer to perform some manipulations to the data.However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter."
}
{
"source": [
"char buf[24];printf(\"Please enter your name and press <Enter>\\n\");gets(buf);...}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-120",
"example_id": "3",
"explanation": "The code below calls the gets() function to read in data from the command line.However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition."
}
{
"source": [
"...\nstruct hostent *clienthp;char hostname[MAX_LEN];\n// create server socket, bind to server address and listen on socket...\n// accept client connections and process requestsint count = 0;for (count = 0; count < MAX_CONNECTIONS; count++) {\n\nint clientlen = sizeof(struct sockaddr_in);int clientsocket = accept(serversocket, (struct sockaddr *)&clientaddr, &clientlen);\nif (clientsocket >= 0) {\nclienthp = gethostbyaddr((char*) &clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET);strcpy(hostname, clienthp->h_name);logOutput(\"Accepted client connection from host \", hostname);\n// process client request...close(clientsocket);\n}\n}close(serversocket);\n\n..."
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-120",
"example_id": "4",
"explanation": "In the following example, a server accepts connections from a client and processes the client request. After accepting a client connection, the program will obtain client information using the gethostbyaddr method, copy the hostname of the client that connected to a local variable and output the hostname of the client to a log file.However, the hostname of the client that connected may be longer than the allocated size for the local hostname variable. This will result in a buffer overflow when copying the client hostname to the local variable using the strcpy method."
}
{
"source": [
"response.addCookie( new Cookie(\"userAccountID\", acctID);"
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
}
],
"cwe_id": "CWE-312",
"example_id": "1",
"explanation": "The following code excerpt stores a plaintext user account ID in a browser cookie.Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker."
}
{
"source": [
"function persistLogin($username, $password){$data = array(\"username\" => $username, \"password\"=> $password);setcookie (\"userdata\", $data);}"
],
"source_status": [
{
"vul_flag": 1,
"language": "PHP"
}
],
"cwe_id": "CWE-312",
"example_id": "2",
"explanation": "This code writes a user's login information to a cookie so the user does not have to login again later.The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie. Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315)."
}
{
"source": [
"server.sin_family = AF_INET; hp = gethostbyname(argv[1]);if (hp==NULL) error(\"Unknown host\");memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length);if (argc < 3) port = 80;else port = (unsigned short)atoi(argv[3]);server.sin_port = htons(port);if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error(\"Connecting\");...while ((n=read(sock,buffer,BUFSIZE-1))!=-1) {\n\nwrite(dfd,password_buffer,n);..."
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-312",
"example_id": "3",
"explanation": "The following code attempts to establish a connection, read in a password, then store it to a buffer.While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors."
}
{
"source": [
"# Java Web App ResourceBundle properties file\n...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword...",
"...<connectionStrings><add name=\"ud_DEV\" connectionString=\"connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;\" providerName=\"System.Data.Odbc\" /></connectionStrings>..."
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
},
{
"vul_flag": 1,
"language": "ASP.NET"
}
],
"cwe_id": "CWE-312",
"example_id": "4",
"explanation": "The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.This Java example shows a properties file with a cleartext username / password pair.The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext.Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information."
}
{
"source": [],
"source_status": [],
"cwe_id": "CWE-312",
"example_id": "5",
"explanation": "In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were \"insecure by design\" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. At least one OT product stored a password in plaintext."
}
{
"source": [
"A security researcher found 86 S3 buckets that could be accessed without authentication (CWE-306) and stored data unencrypted (CWE-312). These buckets exposed over 1000 GB of data and 1.6 million files including physical addresses, phone numbers, tax documents, pictures of driver's license IDs, etc. [REF-1296] [REF-1295]",
"The sensitive information could have been protected by ensuring that the buckets did not have public read access, e.g., by enabling the s3-account-level-public-access-blocks-periodic rule to Block Public Access. In addition, the data could have been encrypted at rest using the appropriate S3 settings, e.g., by enabling server-side encryption using the s3-bucket-server-side-encryption-enabled setting. Other settings are available to further prevent bucket data from being leaked. [REF-1297]"
],
"source_status": [
{
"vul_flag": 1,
"language": "Other"
},
{
"vul_flag": 0,
"language": "Other"
}
],
"cwe_id": "CWE-312",
"example_id": "6",
"explanation": "In 2021, a web site operated by PeopleGIS stored data of US municipalities in Amazon Web Service (AWS) Simple Storage Service (S3) buckets.While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered."
}
{
"source": [
"New-AzStorageEncryptionScope -ResourceGroupName \"MyResourceGroup\" -AccountName \"MyStorageAccount\" -EncryptionScopeName testscope -StorageEncryption",
"ResourceGroupName: MyResourceGroup, StorageAccountName: MyStorageAccount\n\n\n\n\nName\nState\nSource\nRequireInfrastructureEncryption\n\n\ntestscope\nEnabled\nMicrosoft.Storage",
"New-AzStorageEncryptionScope -ResourceGroupName \"MyResourceGroup\" -AccountName \"MyStorageAccount\" -EncryptionScopeName testscope -StorageEncryption -RequireInfrastructureEncryption",
"ResourceGroupName: MyResourceGroup, StorageAccountName: MyStorageAccount\n\n\n\n\nName\nState\nSource\nRequireInfrastructureEncryption\n\n\ntestscope\nEnabled\nMicrosoft.Keyvault\nTrue"
],
"source_status": [
{
"vul_flag": 1,
"language": "Shell"
},
{
"vul_flag": 1,
"language": "Other"
},
{
"vul_flag": 0,
"language": "Shell"
},
{
"vul_flag": 0,
"language": "(result) Other"
}
],
"cwe_id": "CWE-312",
"example_id": "7",
"explanation": "Consider the following PowerShell command examples for encryption scopes of Azure storage objects. In the first example, an encryption scope is set for the storage account.The result (edited and formatted for readability) might be:However, the empty string under RequireInfrastructureEncryption indicates this service was not enabled at the time of creation, because the -RequireInfrastructureEncryption argument was not specified in the command.Including the -RequireInfrastructureEncryption argument addresses the issue:This produces the report:In a scenario where both software and hardware layer encryption is required (\"double encryption\"), Azure's infrastructure encryption setting can be enabled via the CLI or Portal. An important note is that infrastructure hardware encryption cannot be enabled or disabled after a blob is created. Furthermore, the default value for infrastructure encryption is disabled in blob creations."
}
{
"source": [
"try {URL u = new URL(\"http://www.secret.example.org/\");HttpURLConnection hu = (HttpURLConnection) u.openConnection();hu.setRequestMethod(\"PUT\");hu.connect();OutputStream os = hu.getOutputStream();hu.disconnect();}catch (IOException e) {\n//...\n\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
}
],
"cwe_id": "CWE-319",
"example_id": "1",
"explanation": "The following code attempts to establish a connection to a site to communicate sensitive information.Though a connection is successfully made, the connection is unencrypted and it is possible that all sensitive data sent to or received from the server will be read by unintended actors."
}
{
"source": [],
"source_status": [],
"cwe_id": "CWE-319",
"example_id": "2",
"explanation": "In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were \"insecure by design\" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. Multiple vendors used cleartext transmission of sensitive information in their OT products."
}
{
"source": [],
"source_status": [],
"cwe_id": "CWE-319",
"example_id": "3",
"explanation": "A TAP accessible register is read/written by a JTAG based tool, for internal use by authorized users. However, an adversary can connect a probing device and collect the values from the unencrypted channel connecting the JTAG interface to the authorized user, if no additional protections are employed."
}
{
"source": [
"az storage account show -g {ResourceGroupName} -n {StorageAccountName}",
"{\n\n\t\t \"name\": \"{StorageAccountName}\",\n\t\t \"enableHttpsTrafficOnly\": false,\n\t\t \"type\": \"Microsoft.Storage/storageAccounts\"\n\n\t\t }",
"az storage account update -g {ResourceGroupName} -n {StorageAccountName} --https-only true",
"{\n\n\t\t \"name\": \"{StorageAccountName}\",\n\t\t \"enableHttpsTrafficOnly\": true,\n\t\t \"type\": \"Microsoft.Storage/storageAccounts\"\n\n\t\t }"
],
"source_status": [
{
"vul_flag": 0,
"language": "(informative) Shell"
},
{
"vul_flag": 1,
"language": "JSON"
},
{
"vul_flag": 0,
"language": "Shell"
},
{
"vul_flag": 0,
"language": "JSON"
}
],
"cwe_id": "CWE-319",
"example_id": "4",
"explanation": "The following Azure CLI command lists the properties of a particular storage account:The JSON result might be:The enableHttpsTrafficOnly value is set to false, because the default setting for Secure transfer is set to Disabled. This allows cloud storage resources to successfully connect and transfer data without the use of encryption (e.g., HTTP, SMB 2.1, SMB 3.0, etc.).Azure's storage accounts can be configured to only accept requests from secure connections made over HTTPS. The secure transfer setting can be enabled using Azure's Portal (GUI) or programmatically by setting the enableHttpsTrafficOnly property to True on the storage account, such as:The change can be confirmed from the result by verifying that the enableHttpsTrafficOnly value is true:\nNote: to enable secure transfer using Azure's Portal instead of the command line:\n\n1. Open the Create storage account pane in the Azure portal.\n2. In the Advanced page, select the Enable secure transfer checkbox."
}
{
"source": [
"$transfer_amount = GetTransferAmount();$balance = GetBalanceFromDatabase();\nif ($transfer_amount < 0) {FatalError(\"Bad Transfer Amount\");}$newbalance = $balance - $transfer_amount;if (($balance - $transfer_amount) < 0) {FatalError(\"Insufficient Funds\");}SendNewBalanceToDatabase($newbalance);NotifyUser(\"Transfer of $transfer_amount succeeded.\");NotifyUser(\"New balance: $newbalance\");",
"In the following pseudocode, the attacker makes two simultaneous calls of the program, CALLER-1 and CALLER-2. Both callers are for the same user account.CALLER-1 (the attacker) is associated with PROGRAM-1 (the instance that handles CALLER-1). CALLER-2 is associated with PROGRAM-2.CALLER-1 makes a transfer request of 80.00.PROGRAM-1 calls GetBalanceFromDatabase and sets $balance to 100.00PROGRAM-1 calculates $newbalance as 20.00, then calls SendNewBalanceToDatabase().Due to high server load, the PROGRAM-1 call to SendNewBalanceToDatabase() encounters a delay.CALLER-2 makes a transfer request of 1.00.PROGRAM-2 calls GetBalanceFromDatabase() and sets $balance to 100.00. This happens because the previous PROGRAM-1 request was not processed yet.PROGRAM-2 determines the new balance as 99.00.After the initial delay, PROGRAM-1 commits its balance to the database, setting it to 20.00.PROGRAM-2 sends a request to update the database, setting the balance to 99.00"
],
"source_status": [
{
"vul_flag": 1,
"language": "Perl"
},
{
"vul_flag": 0,
"language": "(attack code) Other"
}
],
"cwe_id": "CWE-362",
"example_id": "1",
"explanation": "This code could be used in an e-commerce application that supports transfers between accounts. It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account.A race condition could occur between the calls to GetBalanceFromDatabase() and SendNewBalanceToDatabase().Suppose the balance is initially 100.00. An attack could be constructed as follows:At this stage, the attacker should have a balance of 19.00 (due to 81.00 worth of transfers), but the balance is 99.00, as recorded in the database.To prevent this weakness, the programmer has several options, including using a lock to prevent multiple simultaneous requests to the web application, or using a synchronization mechanism that includes all the code between GetBalanceFromDatabase() and SendNewBalanceToDatabase()."
}
{
"source": [
"void f(pthread_mutex_t *mutex) {\npthread_mutex_lock(mutex);\n\n/* access shared resource */\n\n\npthread_mutex_unlock(mutex);\n}",
"int f(pthread_mutex_t *mutex) {\nint result;\nresult = pthread_mutex_lock(mutex);if (0 != result)return result;\n\n\n/* access shared resource */\n\n\nreturn pthread_mutex_unlock(mutex);\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
},
{
"vul_flag": 0,
"language": "C"
}
],
"cwe_id": "CWE-362",
"example_id": "2",
"explanation": "The following function attempts to acquire a lock in order to perform operations on a shared resource.However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels."
}
{
"source": [],
"source_status": [],
"cwe_id": "CWE-362",
"example_id": "3",
"explanation": "Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of \"accessible\" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs.Suppose the interconnect fabric does not prioritize such \"update\" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario."
}
{
"source": [
"<form action=\"/url/profile.php\" method=\"post\"><input type=\"text\" name=\"firstname\"/><input type=\"text\" name=\"lastname\"/><br/><input type=\"text\" name=\"email\"/><input type=\"submit\" name=\"submit\" value=\"Update\"/></form>",
"// initiate the session in order to validate sessions\nsession_start();\n\n//if the session is registered to a valid user then allow update\n\nif (! session_is_registered(\"username\")) {\n\necho \"invalid session detected!\";\n\n// Redirect user to login page\n[...]\nexit;\n}\n\n// The user session is valid, so process the request\n\n\n// and update the information\n\nupdate_profile();\nfunction update_profile {\n\n\n// read in the data from $POST and send an update\n\n\n// to the database\nSendUpdateToDatabase($_SESSION['username'], $_POST['email']);[...]echo \"Your profile has been successfully updated.\";\n}",
"<SCRIPT>function SendAttack () {form.email = \"attacker@example.com\";\n// send to profile.php\nform.submit();}</SCRIPT>\n<BODY onload=\"javascript:SendAttack();\">\n<form action=\"http://victim.example.com/profile.php\" id=\"form\" method=\"post\"><input type=\"hidden\" name=\"firstname\" value=\"Funny\"><input type=\"hidden\" name=\"lastname\" value=\"Joke\"><br/><input type=\"hidden\" name=\"email\"></form>"
],
"source_status": [
{
"vul_flag": 1,
"language": "HTML"
},
{
"vul_flag": 1,
"language": "PHP"
},
{
"vul_flag": 0,
"language": "(attack code) HTML"
}
],
"cwe_id": "CWE-352",
"example_id": "1",
"explanation": "This example PHP code attempts to secure the form submission process by validating that the user submitting the form has a valid session. A CSRF attack would not be prevented by this countermeasure because the attacker forges a request through the user's web browser in which a valid session already exists.The following HTML is intended to allow a user to update a profile.profile.php contains the following code.This code may look protected since it checks for a valid session. However, CSRF attacks can be staged from virtually any tag or HTML construct, including image tags, links, embed or object tags, or other attributes that load background images.The attacker can then host code that will silently change the username and email address of any user that visits the page while remaining logged in to the target web application. The code might be an innocent-looking web page such as:Notice how the form contains hidden fields, so when it is loaded into the browser, the user will not notice it. Because SendAttack() is defined in the body's onload attribute, it will be automatically called when the victim loads the web page.Assuming that the user is already logged in to victim.example.com, profile.php will see that a valid user session has been established, then update the email address to the attacker's own address. At this stage, the user's identity has been compromised, and messages sent through this profile could be sent to the attacker's address."
}
{
"source": [
"try {File file = new File(\"object.obj\");ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));javax.swing.JButton button = (javax.swing.JButton) in.readObject();in.close();}",
"private final void readObject(ObjectInputStream in) throws java.io.IOException {throw new java.io.IOException(\"Cannot be deserialized\"); }"
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
},
{
"vul_flag": 0,
"language": "Java"
}
],
"cwe_id": "CWE-502",
"example_id": "1",
"explanation": "This code snippet deserializes an object from a file and uses it as a UI button:This code does not attempt to verify the source or contents of the file before deserializing it. An attacker may be able to replace the intended file with a file that contains arbitrary malicious code which will be executed when the button is pressed.To mitigate this, explicitly define final readObject() to prevent deserialization. An example of this is:"
}
{
"source": [
"try {\nclass ExampleProtocol(protocol.Protocol):def dataReceived(self, data):\n# Code that would be here would parse the incoming data# After receiving headers, call confirmAuth() to authenticate\ndef confirmAuth(self, headers):try:token = cPickle.loads(base64.b64decode(headers['AuthToken']))if not check_hmac(token['signature'], token['data'], getSecretKey()):raise AuthFailself.secure_data = token['data']except:raise AuthFail\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "Python"
}
],
"cwe_id": "CWE-502",
"example_id": "2",
"explanation": "In Python, the Pickle library handles the serialization and deserialization processes. In this example derived from [REF-467], the code receives and parses data, and afterwards tries to authenticate a user based on validating a token. Unfortunately, the code does not verify that the incoming data is legitimate. An attacker can construct a illegitimate, serialized object \"AuthToken\" that instantiates one of Python's subprocesses to execute arbitrary commands. For instance,the attacker could construct a pickle that leverages Python's subprocess module, which spawns new processes and includes a number of arguments for various uses. Since Pickle allows objects to define the process for how they should be unpickled, the attacker can direct the unpickle process to call Popen in the subprocess module and execute /bin/sh."
}
{
"source": [
"http://somesite.com/someapplication/admin.jsp"
],
"source_status": [
{
"vul_flag": 0,
"language": "(attack code) JSP"
}
],
"cwe_id": "CWE-425",
"example_id": "1",
"explanation": "If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following."
}
{
"source": [
"public int computeAverageResponseTime (int totalTime, int numRequests) {return totalTime / numRequests;}",
"public int computeAverageResponseTime (int totalTime, int numRequests) throws ArithmeticException {if (numRequests == 0) {System.out.println(\"Division by zero attempted!\");throw ArithmeticException;}return totalTime / numRequests;}"
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
},
{
"vul_flag": 0,
"language": ""
}
],
"cwe_id": "CWE-369",
"example_id": "1",
"explanation": "The following Java example contains a function to compute an average but does not validate that the input value used as the denominator is not zero. This will create an exception for attempting to divide by zero. If this error is not handled by Java exception handling, unexpected results can occur.By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. The following Java code example will validate the input value, output an error message, and throw an exception."
}
{
"source": [
"double divide(double x, double y){return x/y;}",
"const int DivideByZero = 10;double divide(double x, double y){if ( 0 == y ){throw DivideByZero;}return x/y;}...try{divide(10, 0);}catch( int i ){if(i==DivideByZero) {cerr<<\"Divide by zero error\";}}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
},
{
"vul_flag": 0,
"language": ""
}
],
"cwe_id": "CWE-369",
"example_id": "2",
"explanation": "The following C/C++ example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur.By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. If the method is called and a zero is passed as the second argument a DivideByZero error will be thrown and should be caught by the calling block with an output message indicating the error.Example 2 References:[REF-371] Alex Allain. \"Handling Errors Exceptionally Well in C++\". <https://www.cprogramming.com/tutorial/exceptions.html>. URL validated: 2023-04-07."
}
{
"source": [
"int Division(int x, int y){return (x / y);}",
"int SafeDivision(int x, int y){try{return (x / y);}catch (System.DivideByZeroException dbz){System.Console.WriteLine(\"Division by zero attempted!\");return 0;}}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C#"
},
{
"vul_flag": 0,
"language": ""
}
],
"cwe_id": "CWE-369",
"example_id": "3",
"explanation": "The following C# example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur.The method can be modified to raise, catch and handle the DivideByZeroException if the input value used as the denominator is zero.Example 3 References:[REF-372] Microsoft. \"Exceptions and Exception Handling (C# Programming Guide)\". <https://msdn.microsoft.com/pl-pl/library/ms173160(v=vs.100).aspx>."
}
{
"source": [
"char* ptr = (char*)malloc (SIZE);...if (abrt) {free(ptr);}...free(ptr);"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-415",
"example_id": "1",
"explanation": "The following code shows a simple example of a double free vulnerability.Double free vulnerabilities have two common (and sometimes overlapping) causes:\n\n\nError conditions and other exceptional circumstances\n\n\nConfusion over which part of the program is responsible for freeing the memory\n\n\nAlthough some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once."
}
{
"source": [
"#include <stdio.h>#include <unistd.h>#define BUFSIZE1 512#define BUFSIZE2 ((BUFSIZE1/2) - 8)\nint main(int argc, char **argv) {char *buf1R1;char *buf2R1;char *buf1R2;buf1R1 = (char *) malloc(BUFSIZE2);buf2R1 = (char *) malloc(BUFSIZE2);free(buf1R1);free(buf2R1);buf1R2 = (char *) malloc(BUFSIZE1);strncpy(buf1R2, argv[1], BUFSIZE1-1);free(buf2R1);free(buf1R2);}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-415",
"example_id": "2",
"explanation": "While contrived, this code should be exploitable on Linux distributions that do not ship with heap-chunk check summing turned on."
}
{
"source": [
"URL[] classURLs= new URL[]{new URL(\"file:subdir/\")};URLClassLoader loader = new URLClassLoader(classURLs);Class loadedClass = Class.forName(\"loadMe\", true, loader);"
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
}
],
"cwe_id": "CWE-494",
"example_id": "1",
"explanation": "This example loads an external class from a local subdirectory.This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum. An attacker may be able to modify the class file to execute malicious code."
}
{
"source": [
"//assume the password is already encrypted, avoiding CWE-312 \n\nfunction authenticate($username,$password){\ninclude(\"http://external.example.com/dbInfo.php\");\n\n//dbInfo.php makes $dbhost, $dbuser, $dbpass, $dbname available\nmysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');mysql_select_db($dbname);$query = 'Select * from users where username='.$username.' And password='.$password;$result = mysql_query($query);\nif(mysql_numrows($result) == 1){mysql_close();return true;}else{mysql_close();return false;}\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "PHP"
}
],
"cwe_id": "CWE-494",
"example_id": "2",
"explanation": "This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.This code does not verify that the external domain accessed is the intended one. An attacker may somehow cause the external domain name to resolve to an attack server, which would provide the information for a false database. The attacker may then steal the usernames and encrypted passwords from real user login attempts, or simply allow themself to access the application without a real user account.This example is also vulnerable to an Adversary-in-the-Middle AITM (CWE-300) attack."
}
{
"source": [
"my $username=param('username');\n my $password=param('password');\n \nif (IsValidUsername($username) == 1)\n {\n if (IsValidPassword($username, $password) == 1)\n {\n print \"Login Successful\";\n }\n else\n {\n print \"Login Failed - incorrect password\";\n }\n }\n else\n {\n print \"Login Failed - unknown username\";\n }",
"\"Login Failed - incorrect username or password\""
],
"source_status": [
{
"vul_flag": 1,
"language": "Perl"
},
{
"vul_flag": 0,
"language": "(result)"
}
],
"cwe_id": "CWE-200",
"example_id": "1",
"explanation": "The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.In the above code, there are different messages for when an incorrect username is supplied, versus when the username is correct but the password is wrong. This difference enables a potential attacker to understand the state of the login function, and could allow an attacker to discover a valid username by trying different values until the incorrect password message is returned. In essence, this makes it easier for an attacker to obtain half of the necessary authentication credentials.While this type of information may be helpful to a user, it is also useful to a potential attacker. In the above example, the message for both failed cases should be the same, such as:"
}
{
"source": [
"try {openDbConnection();}\n//print exception message that includes exception message and configuration file location\ncatch (Exception $e) {echo 'Caught exception: ', $e->getMessage(), '\\n';echo 'Check credentials in config file at: ', $Mysql_config_location, '\\n';}"
],
"source_status": [
{
"vul_flag": 1,
"language": "PHP"
}
],
"cwe_id": "CWE-200",
"example_id": "2",
"explanation": "This code tries to open a database connection, and prints any exceptions that occur.If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database."
}
{
"source": [
"public BankAccount getUserBankAccount(String username, String accountNumber) {\nBankAccount userAccount = null;String query = null;try {if (isAuthorizedUser(username)) {query = \"SELECT * FROM accounts WHERE owner = \"+ username + \" AND accountID = \" + accountNumber;DatabaseManager dbManager = new DatabaseManager();Connection conn = dbManager.getConnection();Statement stmt = conn.createStatement();ResultSet queryResult = stmt.executeQuery(query);userAccount = (BankAccount)queryResult.getObject(accountNumber);}} catch (SQLException ex) {String logMessage = \"Unable to retrieve account information from database,\\nquery: \" + query;Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);}return userAccount;\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
}
],
"cwe_id": "CWE-200",
"example_id": "3",
"explanation": "In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file.The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database."
}
{
"source": [
"locationClient = new LocationClient(this, this, this);locationClient.connect();currentUser.setLocation(locationClient.getLastLocation());\n...\n\ncatch (Exception e) {AlertDialog.Builder builder = new AlertDialog.Builder(this);builder.setMessage(\"Sorry, this application has experienced an error.\");AlertDialog alert = builder.create();alert.show();Log.e(\"ExampleActivity\", \"Caught exception: \" + e + \" While on User:\" + User.toString());}"
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
}
],
"cwe_id": "CWE-200",
"example_id": "4",
"explanation": "This code stores location information about the current user:When the application encounters an exception it will write the user object to the log. Because the user object contains location information, the user's location is also written to the log."
}
{
"source": [
"Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/database.inc on line 4"
],
"source_status": [
{
"vul_flag": 0,
"language": "(result) SQL"
}
],
"cwe_id": "CWE-200",
"example_id": "5",
"explanation": "The following is an actual MySQL error statement:The error clearly exposes the database credentials."
}
{
"source": [
"Social Security Number: <%= ssn %></br>Credit Card Number: <%= ccn %>"
],
"source_status": [
{
"vul_flag": 1,
"language": "JSP"
}
],
"cwe_id": "CWE-200",
"example_id": "6",
"explanation": "This code displays some information on a web page.The code displays a user's credit card and social security numbers, even though they aren't absolutely necessary."
}
{
"source": [
"<% if (Boolean.getBoolean(\"debugEnabled\")) {\n%>User account number: <%= acctNo %><%} %>"
],
"source_status": [
{
"vul_flag": 1,
"language": "JSP"
}
],
"cwe_id": "CWE-200",
"example_id": "7",
"explanation": "The following program changes its behavior based on a debug flag.The code writes sensitive debug information to the client browser if the \"debugEnabled\" flag is set to true ."
}
{
"source": [
"<uses-permission android:name=\"android.permission.ACCESS_FINE_LOCATION\"/>",
"locationClient = new LocationClient(this, this, this);locationClient.connect();Location userCurrLocation;userCurrLocation = locationClient.getLastLocation();deriveStateFromCoords(userCurrLocation);"
],
"source_status": [
{
"vul_flag": 1,
"language": "XML"
},
{
"vul_flag": 1,
"language": "Java"
}
],
"cwe_id": "CWE-200",
"example_id": "8",
"explanation": "This code uses location to determine the user's current US State location.First the application must declare that it requires the ACCESS_FINE_LOCATION permission in the application's manifest.xml:During execution, a call to getLastLocation() will return a location based on the application's location permissions. In this case the application has permission for the most accurate location possible:While the application needs this information, it does not need to use the ACCESS_FINE_LOCATION permission, as the ACCESS_COARSE_LOCATION permission will be sufficient to identify which US state the user is in."
}
{
"source": [
"az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access true",
"az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access false"
],
"source_status": [
{
"vul_flag": 1,
"language": "Shell"
},
{
"vul_flag": 0,
"language": "Shell"
}
],
"cwe_id": "CWE-552",
"example_id": "1",
"explanation": "The following Azure command updates the settings for a storage account:However, \"Allow Blob Public Access\" is set to true, meaning that anonymous/public users can access blobs.The command could be modified to disable \"Allow Blob Public Access\" by setting it to false."
}
{
"source": [
"gsutil iam get gs://BUCKET_NAME",
"{\n\n\t\t \"bindings\":[{\n\n\t\t\t \"members\":[\n\n\t\t\t \"projectEditor: PROJECT-ID\",\n\t\t\t \"projectOwner: PROJECT-ID\"\n\t\t\t \n\t\t\t ],\n\t\t\t \"role\":\"roles/storage.legacyBucketOwner\"\n\n\t\t },\n\t\t {\n\n\t\t\t \"members\":[\n\t\t\t \n\t\t\t \"allUsers\",\n\t\t\t \"projectViewer: PROJECT-ID\"\n\t\t\t ],\n\t\t\t \"role\":\"roles/storage.legacyBucketReader\"\n\n\t\t\t }\n\n\t\t ]\n\n\t\t }",
"gsutil iam ch -d allUsers gs://BUCKET_NAME\n\t\t\t gsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME"
],
"source_status": [
{
"vul_flag": 0,
"language": "(informative) Shell"
},
{
"vul_flag": 1,
"language": "JSON"
},
{
"vul_flag": 0,
"language": "Shell"
}
],
"cwe_id": "CWE-552",
"example_id": "2",
"explanation": "The following Google Cloud Storage command gets the settings for a storage account named 'BUCKET_NAME':Suppose the command returns the following result:This result includes the \"allUsers\" or IAM role added as members, causing this policy configuration to allow public access to cloud storage resources. There would be a similar concern if \"allAuthenticatedUsers\" was present.The command could be modified to remove \"allUsers\" and/or \"allAuthenticatedUsers\" as follows:"
}
{
"source": [
"try {/.../}catch (Exception e) {System.out.println(e);}"
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
}
],
"cwe_id": "CWE-209",
"example_id": "1",
"explanation": "In the following example, sensitive information might be printed depending on the exception that occurs.If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information. If this output is redirected to a web user, this may represent a security problem."
}
{
"source": [
"try {openDbConnection();}\n//print exception message that includes exception message and configuration file location\ncatch (Exception $e) {echo 'Caught exception: ', $e->getMessage(), '\\n';echo 'Check credentials in config file at: ', $Mysql_config_location, '\\n';}"
],
"source_status": [
{
"vul_flag": 1,
"language": "PHP"
}
],
"cwe_id": "CWE-209",
"example_id": "2",
"explanation": "This code tries to open a database connection, and prints any exceptions that occur.If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database."
}
{
"source": [
"$ConfigDir = \"/home/myprog/config\";$uname = GetUserInput(\"username\");\n\n# avoid CWE-22, CWE-78, others. \nExitError(\"Bad hacker!\") if ($uname !~ /^\\w+$/);$file = \"$ConfigDir/$uname.txt\";if (! (-e $file)) {ExitError(\"Error: $file does not exist\");}..."
],
"source_status": [
{
"vul_flag": 1,
"language": "Perl"
}
],
"cwe_id": "CWE-209",
"example_id": "3",
"explanation": "The following code generates an error message that leaks the full pathname of the configuration file.If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application."
}
{
"source": [
"public BankAccount getUserBankAccount(String username, String accountNumber) {\nBankAccount userAccount = null;String query = null;try {if (isAuthorizedUser(username)) {query = \"SELECT * FROM accounts WHERE owner = \"+ username + \" AND accountID = \" + accountNumber;DatabaseManager dbManager = new DatabaseManager();Connection conn = dbManager.getConnection();Statement stmt = conn.createStatement();ResultSet queryResult = stmt.executeQuery(query);userAccount = (BankAccount)queryResult.getObject(accountNumber);}} catch (SQLException ex) {String logMessage = \"Unable to retrieve account information from database,\\nquery: \" + query;Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);}return userAccount;\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "Java"
}
],
"cwe_id": "CWE-209",
"example_id": "4",
"explanation": "In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file.The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database."
}
{
"source": [
"my $q = new CGI;\nif ($q->cookie('loggedin') ne \"true\") {\nif (! AuthenticateUser($q->param('username'), $q->param('password'))) {ExitError(\"Error: you need to log in first\");}else {\n# Set loggedin and user cookies.$q->cookie(-name => 'loggedin',-value => 'true');\n$q->cookie(-name => 'user',-value => $q->param('username'));\n\n}\n}\nif ($q->cookie('user') eq \"Administrator\") {DoAdministratorTasks();}",
"GET /cgi-bin/vulnerable.cgi HTTP/1.1Cookie: user=AdministratorCookie: loggedin=true\n[body of request]"
],
"source_status": [
{
"vul_flag": 1,
"language": "Perl"
},
{
"vul_flag": 0,
"language": "(attack code)"
}
],
"cwe_id": "CWE-287",
"example_id": "1",
"explanation": "The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to \"remember\" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the \"Administrator\" username, as recorded in the user cookie.Unfortunately, this code can be bypassed. The attacker can set the cookies independently so that the code does not check the username and password. The attacker could do this with an HTTP request containing headers such as:By setting the loggedin cookie to \"true\", the attacker bypasses the entire authentication check. By using the \"Administrator\" value in the user cookie, the attacker also gains privileges to administer the software."
}
{
"source": [],
"source_status": [],
"cwe_id": "CWE-287",
"example_id": "2",
"explanation": "In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts. Example 2 References:[REF-236] Kim Zetter. \"Weak Password Brings 'Happiness' to Twitter Hacker\". 2009-01-09. \n\t\t\t\t<https://www.wired.com/2009/01/professed-twitt/>. URL validated: 2023-04-07."
}
{
"source": [],
"source_status": [],
"cwe_id": "CWE-287",
"example_id": "3",
"explanation": "In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were \"insecure by design\" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications. Multiple vendors did not use any authentication or used client-side authentication for critical functionality in their OT products."
}
{
"source": [
"if ((cert = SSL_get_peer_certificate(ssl)) && host)foo=SSL_get_verify_result(ssl);\nif ((X509_V_OK==foo) || X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN==foo))\n\n\n// certificate looks good, host can be trusted"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-295",
"example_id": "1",
"explanation": "This code checks the certificate of a connected peer.In this case, because the certificate is self-signed, there was no external authority that could prove the identity of the host. The program could be communicating with a different system that is spoofing the host, e.g. by poisoning the DNS cache or using an Adversary-in-the-Middle (AITM) attack to modify the traffic from server to client."
}
{
"source": [
"cert = SSL_get_peer_certificate(ssl);if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) {\n\n\n// do secret things\n\n\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-295",
"example_id": "2",
"explanation": "The following OpenSSL code obtains a certificate and verifies it.Even though the \"verify\" step returns X509_V_OK, this step does not include checking the Common Name against the name of the host. That is, there is no guarantee that the certificate is for the desired host. The SSL connection could have been established with a malicious host that provided a valid certificate."
}
{
"source": [
"if (cert = SSL_get_peer(certificate(ssl)) {\nfoo=SSL_get_verify_result(ssl);if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo))\n\n\n//do stuff"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-295",
"example_id": "3",
"explanation": "The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate."
}
{
"source": [
"if (cert = SSL_get_peer_certificate(ssl)) {\n\n\n// got a certificate, do secret things"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-295",
"example_id": "4",
"explanation": "The following OpenSSL code ensures that there is a certificate before continuing execution.Because this code does not use SSL_get_verify_results() to check the certificate, it could accept certificates that have been revoked (X509_V_ERR_CERT_REVOKED). The software could be communicating with a malicious host."
}
{
"source": [
"if (cert = SSL_get_peer_certificate(ssl)) {\n\n\n// got certificate, host can be trusted\n\n\n//foo=SSL_get_verify_result(ssl);\n\n\n//if (X509_V_OK==foo) ...\n\n\n}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-295",
"example_id": "5",
"explanation": "The following OpenSSL code ensures that the host has a certificate.Note that the code does not call SSL_get_verify_result(ssl), which effectively disables the validation step that checks the certificate."
}
{
"source": [
"bool DoSecureStuff(HANDLE hPipe) {bool fDataWritten = false;ImpersonateNamedPipeClient(hPipe);HANDLE hFile = CreateFile(...);/../RevertToSelf()/../}"
],
"source_status": [
{
"vul_flag": 1,
"language": "C++"
}
],
"cwe_id": "CWE-273",
"example_id": "1",
"explanation": "This code attempts to take on the privileges of a user before creating a file, thus avoiding performing the action with unnecessarily high privileges:The call to ImpersonateNamedPipeClient may fail, but the return value is not checked. If the call fails, the code may execute with higher privileges than intended. In this case, an attacker could exploit this behavior to write a file to a location that the attacker does not have access to."
}
{
"source": [
"char buf[10], cp_buf[10];fgets(buf, 10, stdin);strcpy(cp_buf, buf);"
],
"source_status": [
{
"vul_flag": 1,
"language": "C"
}
],
"cwe_id": "CWE-754",
"example_id": "1",
"explanation": "Consider the following code segment:The programmer expects that when fgets() returns, buf will contain a null-terminated string of length 9 or less. But if an I/O error occurs, fgets() will not null-terminate buf. Furthermore, if the end of the file is reached before any characters are read, fgets() returns without writing anything to buf. In both of these situations, fgets() signals that something unusual has happened by returning NULL, but in this code, the warning will not be noticed. The lack of a null terminator in buf can result in a buffer overflow in the subsequent call to strcpy()."
}
{
"source": [
"buf = (char*) malloc(req_size);strncpy(buf, xfer, req_size);"
],