[JAVA] CWE-706: Use of Incorrectly-Resolved Name or Reference & CWE-201: Exposure of Sensitive Information Through Sent Data

[intrigus-lgtm]

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

• Pending

Report

Paths that can be influenced by users (= Directory traversal) where the content of the path is returned to the user or where user data is written to.
"Arbitrary read and write"
Query: github/codeql#3794

• Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.

• pending (CVE not yet disclosed)

[kevinbackhouse]

Hi @intrigus-lgtm. It looks like this one hasn't made any progress since last year. Is it ok if I drop it from our bounty pipeline for now? You can resubmit it when it's ready.

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[intrigus-lgtm]

@kevinbackhouse can you please reopen this?
I've found two CVEs with this query:
CVE-2020-15097
CVE-2020-4039
I've improved the query and just have to push the new version later today.

[kevinbackhouse]

Hi @intrigus-lgtm. I'm very sorry, but the bounty program has been sunset: #828. So, unfortunately, it is now too late for us to reopen this submission. I know you've been one of our top contributors, so I want to thank you for everything that you've done to help improve the CodeQL query suite.

[intrigus-lgtm]

@kevinbackhouse I don't want to be too pedantic, but when I wrote the comment it was still the 24th of June somewhere on earth.

I actually don't have too much of a problem with my "All-for-one" submission being closed iff you still consider my "Bug-slayer" submission valid.
This is an updated version of the query from the PR that finds those two CVEs perfectly.
As far as I remember "you" (sec lab) would still consider rejected (i.e. unmerged) "All-for-one" submission on a case-by-case basis for "Bug-Slayer" submissions:

[kevinbackhouse]

Hi @intrigus-lgtm. I'm sorry, but your submissions were still incomplete when our deadline expired on 2024-06-24. Unfortunately, you had not yet pushed the new version of the query and most of the details were still missing from #839. We want to be fair to all of our bounty participants, which means that we have to follow the rules that we wrote.