奇安信CodeSafe

icon indicating a website link http://www.codesafe.cn/

Results 348 issues of 奇安信CodeSafe

Resource leak

Stream is opened https://github.com/twitter/vireo/blob/f950cba87014045e11b5690285e1c75081cd5787/imagetool/commands/frames.cpp#L72 Opened file never closed https://github.com/twitter/vireo/blob/f950cba87014045e11b5690285e1c75081cd5787/imagetool/commands/frames.cpp#L84

Xml external entity injection

Xml external entity is not disabled when parsing xml file ![图片](https://user-images.githubusercontent.com/39950310/57282465-b187dd80-70df-11e9-80ec-311c7ce84f02.png)

There is a vulnerability in spring-boot 2.2.0.RELEASE ,upgrade recommended

https://github.com/didi/ALITA/blob/db0a5139725916fd7dcb88072101c9e3c6e658be/pom.xml#L19-L21 CVE-2020-5421 Recommended upgrade version:2.2.10.RELEASE

There is a vulnerability in fastjson 1.2.62 ,upgrade recommended

https://github.com/didi/ALITA/blob/db0a5139725916fd7dcb88072101c9e3c6e658be/pom.xml#L90-L92 CVE-2020-8840 Recommended upgrade version:1.2.67.sec10

There is a vulnerability in spring 5.0.7.RELEASE ,upgrade recommended

https://github.com/didi/JuShaTa/blob/c4d1ba331ed926c88af3665af80b68f98a38698c/pom.xml#L22 CVE-2018-15756 CVE-2020-5398 CVE-2020-5421 Recommended upgrade version:5.0.19.RELEASE

There is a vulnerability in fastjson 1.2.58 ,upgrade recommended

https://github.com/didi/JuShaTa/blob/c4d1ba331ed926c88af3665af80b68f98a38698c/pom.xml#L31 CVE-2020-8840 Recommended upgrade version:1.2.60.sec10

There is a vulnerability in snakeyaml 1.23,upgrade recommended

https://github.com/didi/benchmark-thrift/blob/e6a6caf235f4ef81d3b1ccb20b812840f27a9c44/pom.xml#L19-L21 CVE-2017-18640 Recommended upgrade version:1.26

There is a vulnerability in fastjson 1.2.58,upgrade recommended

https://github.com/didi/benchmark-thrift/blob/e6a6caf235f4ef81d3b1ccb20b812840f27a9c44/pom.xml#L26-L28 CVE-2020-8840 Recommended upgrade version:1.2.60.sec10

JSON Injection

https://github.com/didi/sds/blob/0ac9dbe98b6e019bede3517dc333cf2a9e3c4013/sds-admin/src/main/java/com/didiglobal/sds/admin/controller/HeartbeatController.java#L43 https://github.com/didi/sds/blob/0ac9dbe98b6e019bede3517dc333cf2a9e3c4013/sds-admin/src/main/java/com/didiglobal/sds/admin/controller/HeartbeatController.java#L63 The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.

Cross-Site Scripting: Reflected

https://github.com/didi/sds/blob/0ac9dbe98b6e019bede3517dc333cf2a9e3c4013/sds-admin/src/main/java/com/didiglobal/sds/admin/controller/HeartbeatController.java#L71-L73 There may be special characters in ‘’request.getParameter("client")‘’.Sending unvalidated data to a web browser can result in the browser executing malicious code.