CodeQL

Using RSA encryption without OAEP padding can result in a padding oracle attack, leading to a weaker encryption.

Resolving externally-provided content URIs without validation can allow an attacker to access unexpected resources.

Using external input as an index to an array, without proper validation, can lead to index out of bound exceptions.

Using unvalidated external input as the argument to a construction of an array can lead to index out of bound exceptions.

Using unvalidated local input as the argument to a construction of an array can lead to index out of bound exceptions.

Using a code-specified value that may be zero as the argument to a construction of an array can lead to index out of bound exceptions.

Using a code-specified value as an index to an array, without proper validation, can lead to index out of bound exceptions.

Using local user input as an index to an array, without proper validation, can lead to index out of bound exceptions.

An enabled debugger can allow for entry points in the application or reveal sensitive information.

Enabling Webview debugging in production builds can expose entry points or leak sensitive information.

A prefix used to check that a canonicalised path falls within another must be slash-terminated.

A prefix used to check that a canonicalised path falls within another must be slash-terminated.

Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.

Deserializing user-controlled data may allow attackers to execute arbitrary code.

Reading from a file which is set as world writable is dangerous because the file may be modified or removed by external actors.

Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources.

Accessing paths influenced by users can allow an attacker to access unexpected resources.

Accessing paths influenced by users can allow an attacker to access unexpected resources.

Disabling HTTP header validation makes code vulnerable to attack by header splitting if user input is written directly to an HTTP header.

Writing user input directly to an HTTP header makes code vulnerable to attack by header splitting.

Writing user input directly to an HTTP header makes code vulnerable to attack by header splitting.

Sensitive information displayed in UI text views should be properly masked.

Enabling access to the file system in a WebView allows attackers to view sensitive information.

Writing information without explicit permissions to a shared temporary directory may disclose it to other users.

Access to content providers in a WebView can allow access to protected information by loading content:// links.

Sensitive information exposed in a system notification can be read by an unauthorized application.

Non-HTTPS connections can be intercepted by third parties.

Non-SSL connections can be intercepted by third parties.

Connections that are specified by non-SSL socket factories can be intercepted by third parties.

This reports the external APIs that are used with untrusted data, along with how frequently the API is called, and how many unique sources of untrusted data flow to it.

Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer.

Data provided remotely is used in this external API without sanitization, which could be a security risk.

An initialization vector (IV) used for ciphers of certain modes (such as CBC or GCM) should be unique and unpredictable, to maximize encryption and prevent dictionary attacks.

User-controlled bypassing of sensitive methods may allow attackers to avoid passing through authentication systems.

Using user-controlled data in a permissions check may result in inappropriate permissions being granted.

Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts.

Using broken or weak cryptographic algorithms can allow an attacker to compromise security.

Using broken or weak cryptographic algorithms can allow an attacker to compromise security.

Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user.

Local authentication that does not make use of a `CryptoObject` can be bypassed.

Generation of keys with insecure parameters for local biometric authentication can allow attackers with physical access to bypass authentication checks.

Using a resource after an unsynchronized state check can lead to a race condition, if the state may be changed between the check and use.

Writing user input directly to a web page allows for a cross-site scripting vulnerability.

Writing user input directly to a web page allows for a cross-site scripting vulnerability.

Enabling JavaScript execution in a WebView can result in cross-site scripting attacks.

Exposing a Java object in a WebView with a JavaScript interface can lead to malicious JavaScript controlling the application.

Performing a JNDI lookup with a user-controlled name can lead to the download of an untrusted object and to execution of arbitrary code.

Performing an XSLT transformation with user-controlled stylesheets can lead to information disclosure or execution of arbitrary code.

Modifying the HTTP session attributes based on data from an untrusted source may violate a trust boundary.

Using a deprecated artifact repository may eventually give attackers access for a supply chain attack.

Building a SQL or Java Persistence query by concatenating a possibly-untrusted string is vulnerable to insertion of malicious code.

Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of malicious code by the user.

Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of malicious code by the user.

SSLSocket/SSLEngine ignores all SSL certificate validation errors when establishing an HTTPS connection, thereby making the app vulnerable to man-in-the-middle attacks.

Sending sensitive data to a 'ResultReceiver' obtained from an untrusted source can allow malicious actors access to your information.

Sending an implicit and mutable 'PendingIntent' to an unspecified third party component may provide an attacker with access to internal components of the application or cause other unintended effects.

An Android application uses implicit Intents containing sensitive data in a way that exposes it to arbitrary applications on the device.

Making web requests based on unvalidated user-input may cause the server to communicate with malicious servers.

Non-HTTPS connections can be intercepted by third parties.

Using concatenated strings in a command line is vulnerable to malicious insertion of special characters in the strings.

Passing environment variables containing externally controlled strings to a command line is vulnerable to malicious changes to the environment of a subprocess.

Using externally controlled strings in a command line is vulnerable to malicious changes in the strings.

Using externally controlled strings in a command line is vulnerable to malicious changes in the strings.

Executing a command with a relative path is vulnerable to malicious changes in the PATH environment variable.

Arithmetic operations on uncontrolled data that is not validated can cause overflows.

Arithmetic operations on user-controlled data that is not validated can cause overflows.

Arithmetic operations on user-controlled data that is not validated can cause overflows.

Comparisons between types of different widths in a loop condition can cause the loop to behave unexpectedly.

If a variable is assigned the maximum or minimum value for that variable's type and is then used in an arithmetic expression, this may result in an overflow.

Cleartext Storage of Sensitive Information using SharedPreferences on Android allows access for users with root privileges or unexpected exposure from chained vulnerabilities.

Cleartext Storage of Sensitive Information using a local database on Android allows access for users with root privileges or unexpected exposure from chained vulnerabilities.

Allowing application backups may allow an attacker to extract sensitive data.

Storing sensitive information in cleartext can expose it to an attacker.

Storing sensitive information in cleartext can expose it to an attacker.

Cleartext storage of sensitive information in the Android filesystem allows access for users with root privileges or unexpected exposure from chained vulnerabilities.

Storing sensitive information in cleartext can expose it to an attacker.

Building log entries from user-controlled data may allow insertion of forged log entries by malicious users.

Certain standard library routines are dangerous to call.

Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack.

Parsing user-controlled XML documents and allowing expansion of external entity references may lead to disclosure of confidential data or denial of service.

Parsing user-controlled XML documents and allowing expansion of external entity references may lead to disclosure of confidential data or denial of service.

User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to provide a regex that could require exponential time on certain inputs.

A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks.

A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks.

Android components with an '<intent-filter>' and no 'android:exported' attribute are implicitly exported, which can allow for improper access to the components themselves and to their data.

Android content providers which do not configure both read and write permissions can allow permission bypass.

URL redirection based on unvalidated user-input may cause redirection to malicious web sites.

URL redirection based on unvalidated user-input may cause redirection to malicious web sites.

Returning an externally provided Intent via 'setResult' may allow a malicious application to access arbitrary content providers of the vulnerable application.

Starting Android components with user-provided Intents can provide access to internal components of the application, increasing the attack surface and potentially causing unintended effects.

Using a cryptographically Insecure pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated.

Network connections that do not use certificate pinning may allow attackers to eavesdrop on communications.

Trusting all certificates allows an attacker to perform a machine-in-the-middle attack.

Trusting all certificates allows an attacker to perform a machine-in-the-middle attack.

Failing to check the Json Web Token (JWT) signature may allow an attacker to forge their own tokens.

JavaScript rendered inside WebViews can access protected application files and web resources from any origin exposing them to attack.

Using a hard-coded credential in a sensitive call may compromise security.

Hard-coding a password string may compromise security.

Using a hard-coded credential in a call to a sensitive Java API may compromise security.

Comparing a parameter to a hard-coded credential may compromise security.

Creating an intent with a URI pointing to a untrusted file can lead to the installation of an untrusted application.

Evaluation of a user-controlled JEXL expression may lead to arbitrary code execution.

Evaluation of a user-controlled Spring Expression Language (SpEL) expression may lead to remote code execution.

Evaluation of a user-controlled MVEL expression may lead to remote code execution.

User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution.

Evaluation of a user-controlled Groovy script may lead to arbitrary code execution.

Untrusted input interpreted as a template can lead to remote code execution.

Writing sensitive information to log files can allow that information to be leaked to an attacker more easily.

Building an LDAP query from user-controlled sources is vulnerable to insertion of malicious LDAP code by the user.

Opening a socket after authenticating via a different channel may allow an attacker to connect to the port first.

Basic authentication only obfuscates username/password in Base64 encoding, which can be easily recognized and reversed. Transmitting sensitive information without using HTTPS makes the data vulnerable to packet sniffing.

LDAP authentication with credentials sent in cleartext makes sensitive information vulnerable to remote attackers

Casting user-controlled numeric data to a narrower type without validation can cause unexpected truncation.

Casting user-controlled numeric data to a narrower type without validation can cause unexpected truncation.

An insecure implementation of the 'isValidFragment' method of the 'PreferenceActivity' class may allow a malicious application to bypass access controls, exposing the application to unintended effects.

Instantiating an Android fragment from a user-provided value may allow a malicious application to bypass access controls, exposing the application to unintended effects.

Using cryptographic algorithms with too small a key size can allow an attacker to compromise security.

A broadcast receiver that does not verify intents it receives may be susceptible to unintended behavior by third party applications sending it explicit intents.

Acquiring multiple locks in a different order may cause deadlock.

An iteration or loop with an exit condition that cannot be reached is an indication of faulty logic and can likely lead to infinite looping.

Evaluation of OGNL Expression Language statement with user-controlled input can lead to execution of arbitrary code.

Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack.

Configuring a Java application to use authenticated mail session over SSL without certificate validation makes the session susceptible to a man-in-the-middle attack.

Information from a stack trace propagates to an external user. Stack traces can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit.

Allowing the keyboard to cache sensitive information may result in information leaks to other applications.

Insecure cookies may be sent in cleartext, which makes them vulnerable to interception.

Using external input in format strings can lead to exceptions or information leaks.

Using external input in format strings can lead to exceptions or information leaks.

Accessing an array without first checking that the index is within the bounds of the array can cause undefined behavior and can also be a security risk.

Exceeding the size of a static array during write or access operations may result in a buffer overflow.

Incorrect use of a function that accesses a memory buffer may read or write data past the end of that buffer.

An initialization function is used to initialize a local variable, but the returned status code is not checked. The variable may be left in an uninitialized state, and reading the variable may result in undefined behavior.

Mixing up the failure conditions of 'operator new' and 'operator new(std::nothrow)' can result in unexpected behavior.

Exposing sensitive system data helps a malicious user learn about the system and form an attack plan.

Exposing system data or debugging information helps a malicious user learn about the system and form an attack plan.

Setting a DACL to NULL in a SECURITY_DESCRIPTOR will result in an unprotected object. If the DACL that belongs to the security descriptor of an object is set to NULL, a null DACL is created. A null DACL grants full access to any user who requests it; normal security checking is not performed with respect to the object.

Opening a file with the O_CREAT flag but without mode argument reads arbitrary bytes from the stack.

Creating a file that is world-writable can allow an attacker to write to the file.

Accessing paths influenced by users can allow an attacker to access unexpected resources.

Storing sensitive information in a non-encrypted database can expose it to an attacker.

Calling the lock method of a mutex twice in succession might cause a deadlock.

A lock that is acquired one or more times without a matching number of unlocks may cause a deadlock.

Locking mutexes in different orders in different threads can cause deadlock.

Non-HTTPS connections can be intercepted by third parties.

This reports the external APIs that are used with untrusted data, along with how frequently the API is called, and how many unique sources of untrusted data flow to it.

This reports the external APIs that are used with untrusted data, along with how frequently the API is called, and how many unique sources of untrusted data flow to it.

Data provided remotely is used in this external API without sanitization, which could be a security risk.

Data provided remotely is used in this external API without sanitization, which could be a security risk.

Using untrusted inputs in a statement that makes a security decision makes code vulnerable to attack.

Using broken or weak cryptographic algorithms can allow an attacker to compromise security.

Using an old version of OpenSSL can allow remote attackers to retrieve portions of memory.

Casting a byte string to a wide-character string is likely to yield a string that is incorrectly terminated or aligned. This can lead to undefined behavior, including buffer overruns.

A subtraction with an unsigned result can never be negative. Using such an expression in a relational comparison with `0` is likely to be wrong.

Separately checking the state of a file before operating on it may allow an attacker to modify the file between the two operations.

Writing user input directly to a web page allows for a cross-site scripting vulnerability.

Using externally controlled strings in a process operation can allow an attacker to execute malicious commands.

Including user-supplied data in a SQL query without neutralizing special elements can make code vulnerable to SQL Injection.

Casting an HRESULT to/from a Boolean type and then using it in a test expression will yield an incorrect result because success (S_OK) in HRESULT is indicated by a value of 0.

Referencing the contents of a unique pointer after the underlying object has expired may lead to unexpected behavior.

If the value of a call to 'c_str' outlives the underlying object it may lead to unexpected behavior.

Casting a value to an incompatible type can lead to undefined behavior.

Using user-supplied data in an OS command, without neutralizing special elements, can make code vulnerable to command injection.

Arithmetic operations on uncontrolled data that is not validated can cause overflows.

A user-controlled integer arithmetic expression that is not validated can cause overflows.

Allocating memory with a size controlled by an external user can result in integer overflow.

Arithmetic operations on user-controlled data that is not validated can cause overflows.

Comparisons between types of different widths in a loop condition can cause the loop to behave unexpectedly.

If a variable is assigned the maximum or minimum value for that variable's type and is then used in an arithmetic expression, this may result in an overflow.

Using `cin` without specifying the length of the input may be dangerous.

Use of a standard library function that does not guard against buffer overflow.

Use of a standard library function that is not thread-safe.

Parsing user-controlled XML documents and allowing expansion of external entity references may lead to disclosure of confidential data or denial of service.

Always check the result of certificate verification after fetching an SSL certificate.

Only accept SSL certificates that pass certificate verification.

Authentication by checking that the peer's address matches a known IP or web address is unsafe as it is vulnerable to spoofing attacks.

Implicit scaling of pointer arithmetic expressions can cause buffer overflow conditions.

Explicitly scaled pointer arithmetic expressions can cause buffer overflow conditions if the offset is also implicitly scaled.

Implicit scaling of pointer arithmetic expressions can cause buffer overflow conditions.

Implicit scaling of pointer arithmetic expressions can cause buffer overflow conditions.

Calling a function of the CreateProcess* family of functions, where the path contains spaces, introduces a security vulnerability.

Using the `memset` function to clear private data in a variable that has no subsequent use can make information-leak vulnerabilities easier to exploit because the compiler can remove the call.

Dereferencing an out-of-bounds pointer is undefined behavior and may lead to security vulnerabilities.

Calling a variadic function without a sentinel value may result in a buffer overflow if the function expects a specific value to terminate the argument list.

Buffer write operations that do not control the length of data written may overflow.

Buffer write operations that do not control the length of data written may overflow when floating point inputs take extreme values.

Buffer write operations that do not control the length of data written may overflow

Buffer write operations with a length parameter that does not match the size of the destination buffer may overflow.

Buffer write operations that do not control the length of data written may overflow.

Allocating a buffer using 'malloc' without ensuring that there is always space for the entire string and a zero terminator can cause a buffer overrun.

Using cryptographic algorithms with too small a key size can allow an attacker to compromise security.

Storing sensitive information in cleartext can expose it to an attacker.

Storing sensitive information in cleartext can expose it to an attacker.

Transmitting sensitive information across a network in cleartext can expose it to an attacker.

A loop with an unsatisfiable exit condition could prevent the program from terminating, making it vulnerable to a denial of service attack.

String operations on user-controlled strings can result in buffer overflow or buffer over-read.

Using externally-controlled format strings in printf-style functions can lead to buffer overflows or data representation problems.