[JAVA] CWE-706: Use of Incorrectly-Resolved Name or Reference & CWE-201: Exposure of Sensitive Information Through Sent Data

[intrigus-lgtm]

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

• CVE-2020-4039 : GHSA-wcm4-2jp5-q269
• CVE-2020-15097 : GHSA-7557-4v29-rqw6

Report

Paths that can be influenced by users (= Directory traversal) where the content of the path is returned to the user or where user data is written to.
"Arbitrary read and write"
Query: github/codeql#3794

• Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

[anticomputer]

@intrigus-lgtm as per https://securitylab.github.com/bounties this submission in the Bug Slayer category will require at least 4 CVE to be triaged as a direct result of this query's findings. We understand this is still a work in progress, so please update this issue when your CVE listings start coming in and we'll move the award evaluation process along accordingly. Thanks!

[JarLob]

@intrigus-lgtm Any update on this?

[intrigus-lgtm]

Still a work in progress...

[JarLob]

Hey @intrigus-lgtm It is my shift again :) Any updates?

[intrigus-lgtm]

Nice to see you again :)

I recently hunted for some "easier" bugs before hunting using this query.
Sorry for the long delay, I hope it's ok that this is taking a bit longer.
If not I can of course prioritize this query :)

Also I'm still waiting for GHSA-7557-4v29-rqw6 to get published.
Can you or github staff publish security advisories when the maintainers don't publish it?
The advisory has been ready (CVE assigned, description) for like 2 months.
I've pinged some people in that organization and hope that someone will publish it, but what happens if they don't publish it?

[intrigus-lgtm]

Finally, GHSA-7557-4v29-rqw6 got published and CVE-2020-15097 got assigned :)

[JarLob]

Cool, glad it was published. We cannot force maintainers to publish advisories on their repositories. CVEs is another story, probably it is possible to get one assigned if there are disagreements with code owners.
Still waiting for another 2 to be eligible for bounty.

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[JarLob]

@xcorail This is interesting, looks like there was a glitch in automation, so the issue was marked as in status Closed although it is not.
@intrigus-lgtm However, to keep it aligned with #108 and #221 I'll remove it out of our bounty pipeline for now.
Feel free to re-submit when two more CVEs are assigned!

[xcorail]

Sorry about that. An automation bug caused the internal issue to be duplicated. So I closed the duplicate, and that triggered the comment above. But the original internal issue was not closed.
@JarLob if you decide to close the internal tracking issue, you should also close this one, with the approval of @intrigus-lgtm

[xcorail]

Closing as per the comment above

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed