Merge branch 'develop' into 73-improve-xjc-binding

2025-01-13 10:43:28 +01:00 · 2025-01-13 10:43:28 +01:00 · 3c6728ee59
commit 3c6728ee59
parent 3ba1a7ac26 6bdd5c63ea
1 changed files with 18 additions and 0 deletions
--- a/owasp.xml
+++ b/owasp.xml
@ -72,4 +72,22 @@
        </notes>
        <cve>CVE-2024-23076</cve>
    </suppress>
+    <suppress>
+        <notes>
+            https://nvd.nist.gov/vuln/detail/CVE-2024-49203
+            https://github.com/querydsl/querydsl/issues/3757
+
+            Basically if you allow untrusted user input to be used in the "ORDER BY" clause
+            you can be vulnerable to SQL injection.
+
+            I believe this is nonsense and akin to saying every Java application has a
+            security vulnerability because JDBC allows you to execute arbitrary SQL if you
+            do not properly use PreparedStatement with parameters over a string-concatenated
+            Statement.
+
+            Even if this is considered a valid vulnerability we do not, currently, allow
+            untrusted user input to be used in the "ORDER BY" clause.
+        </notes>
+        <cve>CVE-2024-49203</cve>
+    </suppress>
 </suppressions>