DMC/scipro
7
0
Fork 0
Code Issues 20 Pull Requests 1 Actions Projects 1 Wiki Activity

Suppress warning about CVE-2024-49203 #71

Merged
tozh4728 merged 1 commits from cve-2024-49203 into develop 2025-01-09 12:54:44 +01:00
Conversation 2 Commits 1 Files Changed 1 +18
ansv7779 commented 2024-12-20 15:01:16 +01:00
Owner
Copy Link

https://nvd.nist.gov/vuln/detail/CVE-2024-49203
https://github.com/querydsl/querydsl/issues/3757

Basically if you allow untrusted user input to be used in the "ORDER BY" clause you can be vulnerable to SQL injection.

I believe this is nonsense and akin to saying every Java application has a security vulnerability because JDBC allows you to execute arbitrary SQL if you do not properly use PreparedStatement with parameters over a string-concatenated Statement.

Even if this is considered a valid vulnerability we do not, currently, allow untrusted user input to be used in the "ORDER BY" clause.

Fixes #45

https://nvd.nist.gov/vuln/detail/CVE-2024-49203 https://github.com/querydsl/querydsl/issues/3757 Basically if you allow untrusted user input to be used in the "ORDER BY" clause you can be vulnerable to SQL injection. I believe this is nonsense and akin to saying every Java application has a security vulnerability because JDBC allows you to execute arbitrary SQL if you do not properly use PreparedStatement with parameters over a string-concatenated Statement. Even if this is considered a valid vulnerability we do not, currently, allow untrusted user input to be used in the "ORDER BY" clause. Fixes #45
ansv7779 added 1 commit 2024-12-20 15:01:17 +01:00
Suppress warning about CVE-2024-49203
All checks were successful
Deploy to branch.dsv.su.se / deploy (pull_request) Successful in 2m31s
Details
Build and test / build-and-test (push) Successful in 15m45s
Details
Remove branch deployment from branch.dsv.su.se / cleanup (pull_request) Successful in 17s
Details
5540b4160b 
https://nvd.nist.gov/vuln/detail/CVE-2024-49203
https://github.com/querydsl/querydsl/issues/3757

Basically if you allow untrusted user input to be used in the "ORDER BY" clause
you can be vulnerable to SQL injection.

I believe this is nonsense and akin to saying every Java application has a
security vulnerability because JDBC allows you to execute arbitrary SQL if you
do not properly use PreparedStatement with parameters over a string-concatenated
Statement.

Even if this is considered a valid vulnerability we do not, currently, allow
untrusted user input to be used in the "ORDER BY" clause.
ansv7779 added this to the SciPro project 2024-12-20 15:01:17 +01:00
gitea-actions commented 2024-12-20 15:03:48 +01:00
First-time contributor
Copy Link

Deployed to https://scipro-cve-2024-49203.branch.dsv.su.se

Deployed to https://scipro-cve-2024-49203.branch.dsv.su.se
tozh4728 approved these changes 2025-01-08 09:50:10 +01:00
tozh4728 merged commit 6bdd5c63ea into develop 2025-01-09 12:54:44 +01:00
tozh4728 deleted branch cve-2024-49203 2025-01-09 12:54:44 +01:00
tozh4728 removed this from the SciPro project 2025-01-09 14:31:05 +01:00
Sign in to join this conversation.
Reviewers
No Reviewers
tozh4728
Labels
Clear labels
bug
Something is not working
discussion
duplicate
This issue or pull request already exists
enhancement
New feature
frozen
The issue is not solved, but it will be investigated in the future it the issue arises again
help wanted
Need some help
invalid
Something is wrong
new
To be discussed at the next meeting
po
approved
po
needed
question
More information is needed
size
1
size
2
size
3
wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: DMC/scipro#71
No description provided.
Delete Branch "cve-2024-49203"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?