Create .env #60
Create .env #60
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -0,0 +1 @@ | |||
| PASSWORD=PASS!@#%!WORD | |||
There was a problem hiding this comment.
⚠️ Aqua detected sensitive data in your code
Category: Env Generic
Description: Env Generic Credential
Severity: HIGH
Match: PASSWORD=*************
[This comment was created by Aqua Pipeline]
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-10237
Check Name: guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
Severity: MEDIUM
Fixed Version: 24.1.1-jre, 24.1.1-android
Reachable Path(s) Found: No
Description: Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-10237
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2023-2976
Check Name: Guava vulnerable to insecure use of temporary directory
Severity: MEDIUM
Fixed Version: 32.0.0
Reachable Path(s) Found: No
Description: Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2023-2976
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-8908
Check Name: guava: local information disclosure via temporary directory created with unsafe permissions
Severity: LOW
Fixed Version: 30.0
Reachable Path(s) Found: No
Description: A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-8908
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2023-24998
Check Name: FileUpload DoS with excessive parts
Severity: HIGH
Fixed Version: 1.5
Reachable Path(s) Found: No
Description: Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2023-24998
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2021-29425
Check Name: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
Severity: MEDIUM
Fixed Version: 2.7
Reachable Path(s) Found: No
Description: In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2021-29425
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-41853
Check Name: Untrusted input may lead to RCE attack
Severity: CRITICAL
Fixed Version: 2.7.1
Reachable Path(s) Found: No
Description: Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-41853
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-13692
Check Name: postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
Severity: HIGH
Fixed Version: 42.2.13
Reachable Path(s) Found: No
Description: PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-13692
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-22978
Check Name: Authorization Bypass in RegexRequestMatcher
Severity: CRITICAL
Fixed Version: 5.5.7, 5.6.4
Reachable Path(s) Found: No
Description: In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-22978
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2016-5007
Check Name: spring: Path matching inconsistency
Severity: HIGH
Fixed Version: 4.1.1.RELEASE
Reachable Path(s) Found: No
Description: Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2016-5007
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2021-22112
Check Name: jenkins: Privilege escalation vulnerability in bundled Spring Security library
Severity: HIGH
Fixed Version: 5.2.9.RELEASE, 5.3.8.RELEASE, 5.4.4
Reachable Path(s) Found: No
Description: Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2021-22112
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-22976
Check Name: BCrypt skips salt rounds for work factor of 31
Severity: MEDIUM
Fixed Version: 5.5.7, 5.6.4
Reachable Path(s) Found: No
Description: Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-22976
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2021-22112
Check Name: jenkins: Privilege escalation vulnerability in bundled Spring Security library
Severity: HIGH
Fixed Version: 5.2.9, 5.4.4
Reachable Path(s) Found: No
Description: Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2021-22112
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-22965
Check Name: spring-framework: RCE via Data Binding on JDK 9+
Severity: CRITICAL
Fixed Version: 5.2.20, 5.3.18
Reachable Path(s) Found: No
Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-22965
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1270
Check Name: spring-framework: Possible RCE via spring messaging
Severity: CRITICAL
Fixed Version: 4.3.16
Reachable Path(s) Found: No
Description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1270
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1275
Check Name: spring-framework: Address partial fix for CVE-2018-1270
Severity: CRITICAL
Fixed Version: 4.3.16, 5.0.5
Reachable Path(s) Found: No
Description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1275
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-22965
Check Name: spring-framework: RCE via Data Binding on JDK 9+
Severity: CRITICAL
Fixed Version: 5.2.20, 5.3.18
Reachable Path(s) Found: No
Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-22965
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2016-5007
Check Name: spring: Path matching inconsistency
Severity: HIGH
Fixed Version: 4.3.1.RELEASE
Reachable Path(s) Found: No
Description: Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2016-5007
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2016-9878
Check Name: Spring Framework: Directory Traversal in the Spring Framework ResourceServlet
Severity: HIGH
Fixed Version: 3.2.18, 4.2.9, 4.3.5
Reachable Path(s) Found: No
Description: An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2016-9878
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1272
Check Name: spring-framework: Multipart content pollution
Severity: HIGH
Fixed Version: 4.3.15, 5.0.5
Reachable Path(s) Found: No
Description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1272
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-15756
Check Name: springframework: DoS Attack via Range Requests
Severity: HIGH
Fixed Version: 5.1.1, 4.3.20
Reachable Path(s) Found: No
Description: Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-15756
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2019-11272
Check Name: spring-security-core: mishandling of user passwords allows logging in with a password of NULL
Severity: HIGH
Fixed Version: 4.3.0.RELEASE
Reachable Path(s) Found: No
Description: Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2019-11272
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1257
Check Name: spring-framework: ReDoS Attack with spring-messaging
Severity: MEDIUM
Fixed Version: 4.3.17
Reachable Path(s) Found: No
Description: Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1257
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1271
Check Name: spring-framework: Directory traversal vulnerability with static resources on Windows filesystems
Severity: MEDIUM
Fixed Version: 4.3.15
Reachable Path(s) Found: No
Description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1271
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2019-3795
Check Name: spring-security-core: Insecure randomness when using a secureRandom instance constructed by Spring Security
Severity: MEDIUM
Fixed Version: 4.3.0.RELEASE, 5.0.13.RELEASE, 5.1.6.RELEASE
Reachable Path(s) Found: No
Description: Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2019-3795
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-5421
Check Name: springframework: RFD protection bypass via jsessionid
Severity: MEDIUM
Fixed Version: 4.3.29.RELEASE, 5.0.19.RELEASE, 5.1.18.RELEASE, 5.2.9.RELEASE
Reachable Path(s) Found: No
Description: In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-5421
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-22968
Check Name: Spring Framework: Data Binding Rules Vulnerability
Severity: MEDIUM
Fixed Version: 5.2.21, 5.3.19
Reachable Path(s) Found: No
Description: In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-22968
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-22970
Check Name: DoS via data binding to multipartFile or servlet part
Severity: MEDIUM
Fixed Version: 5.2.22.RELEASE, 5.3.20
Reachable Path(s) Found: No
Description: In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-22970
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-5421
Check Name: springframework: RFD protection bypass via jsessionid
Severity: MEDIUM
Fixed Version: 4.3.29.RELEASE, 5.0.19.RELEASE, 5.1.18.RELEASE, 5.2.9.RELEASE
Reachable Path(s) Found: No
Description: In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-5421
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2016-9878
Check Name: Spring Framework: Directory Traversal in the Spring Framework ResourceServlet
Severity: HIGH
Fixed Version: 3.2.18.RELEASE, 4.2.9.RELEASE.4.2, 4.3.5.RELEASE
Reachable Path(s) Found: No
Description: An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2016-9878
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1272
Check Name: spring-framework: Multipart content pollution
Severity: HIGH
Fixed Version: 5.0.5.RELEASE
Reachable Path(s) Found: No
Description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1272
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-15756
Check Name: springframework: DoS Attack via Range Requests
Severity: HIGH
Fixed Version: 4.3.20.RELEASE, 5.0.10.RELEASE, 5.1.1.RELEASE
Reachable Path(s) Found: No
Description: Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-15756
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1271
Check Name: spring-framework: Directory traversal vulnerability with static resources on Windows filesystems
Severity: MEDIUM
Fixed Version: 4.3.15.RELEASE, 5.0.5.RELEASE
Reachable Path(s) Found: No
Description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1271
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-5421
Check Name: springframework: RFD protection bypass via jsessionid
Severity: MEDIUM
Fixed Version: 4.3.29.RELEASE, 5.0.19.RELEASE, 5.1.18.RELEASE, 5.2.9.RELEASE
Reachable Path(s) Found: No
Description: In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-5421
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2021-3749
Check Name: nodejs-axios: Regular expression denial of service in trim function
Severity: HIGH
Fixed Version: 0.21.2
Reachable Path(s) Found: No
Description: axios is vulnerable to Inefficient Regular Expression Complexity
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2021-3749
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
| # yarn lockfile v1 | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-28168
Check Name: nodejs-axios: allows an attacker to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address
Severity: MEDIUM
Fixed Version: 0.21.1
Reachable Path(s) Found: No
Description: Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-28168
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-38900
Check Name: improper input validation resulting in DoS
Severity: HIGH
Fixed Version: 0.2.1
Reachable Path(s) Found: No
Description: decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-38900
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-0155
Check Name: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
Severity: HIGH
Fixed Version: 1.14.7
Reachable Path(s) Found: No
Description: follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-0155
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-0536
Check Name: Exposure of Sensitive Information via Authorization Header leak
Severity: MEDIUM
Fixed Version: 1.14.8
Reachable Path(s) Found: No
Description: Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-0536
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2019-11358
Check Name: jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
Severity: MEDIUM
Fixed Version: >=3.4.0
Reachable Path(s) Found: No
Description: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2019-11358
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-11022
Check Name: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
Severity: MEDIUM
Fixed Version: 3.5.0
Reachable Path(s) Found: No
Description: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-11022
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-11023
Check Name: jquery: Untrusted code execution via tag in HTML passed to DOM manipulation methods
Severity: MEDIUM
Fixed Version: 3.5.0
Reachable Path(s) Found: No
Description: In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-11023
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-46175
Check Name: Prototype Pollution in JSON5 via Parse Method
Severity: HIGH
Fixed Version: 1.0.2, 2.2.2
Reachable Path(s) Found: No
Description: JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-46175
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-37601
Check Name: prototype pollution in function parseQuery in parseQuery.js
Severity: CRITICAL
Fixed Version: 1.4.1, 2.0.3
Reachable Path(s) Found: No
Description: Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-37601
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-37599
Check Name: regular expression denial of service in interpolateName.js
Severity: HIGH
Fixed Version: 3.2.1, 2.0.4, 1.4.2
Reachable Path(s) Found: No
Description: A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-37599
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-37603
Check Name: Regular expression denial of service
Severity: HIGH
Fixed Version: 3.2.1, 2.0.4, 1.4.2
Reachable Path(s) Found: No
Description: A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-37603
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2017-18214
Check Name: nodejs-moment: Regular expression denial of service
Severity: HIGH
Fixed Version: 2.19.3
Reachable Path(s) Found: No
Description: The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2017-18214
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-24785
Check Name: Path traversal in moment.locale
Severity: HIGH
Fixed Version: 2.29.2
Reachable Path(s) Found: No
Description: Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-24785
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-31129
Check Name: inefficient parsing algorithm resulting in DoS
Severity: HIGH
Fixed Version: 2.29.4
Reachable Path(s) Found: No
Description: moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-31129
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-0235
Check Name: exposure of sensitive information to an unauthorized actor
Severity: HIGH
Fixed Version: 2.6.7, 3.1.1
Reachable Path(s) Found: No
Description: node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-0235
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-15168
Check Name: node-fetch: size of data after fetch() JS thread leads to DoS
Severity: LOW
Fixed Version: 3.0.0-beta.9, 2.6.1
Reachable Path(s) Found: No
Description: node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-15168
| resource "aws_db_instance" "default" { | ||
| allocated_storage = 10 | ||
| engine = "mysql" | ||
| engine_version = "5.7" | ||
| instance_class = "db.t3.micro" | ||
| name = "mydb" | ||
| username = "foo" | ||
| password = "foobarbaz" | ||
| parameter_group_name = "default.mysql5.7" | ||
| skip_final_snapshot = true | ||
| publicly_accessible = true | ||
| } |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0077
Check Name: RDS Cluster and RDS instance should have backup retention longer than default 1 day
Severity: MEDIUM
Message: Instance has very low backup retention period.
Resolution: Explicitly set the retention period to greater than the default
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0077
| resource "aws_db_instance" "default" { | ||
| allocated_storage = 10 | ||
| engine = "mysql" | ||
| engine_version = "5.7" | ||
| instance_class = "db.t3.micro" | ||
| name = "mydb" | ||
| username = "foo" | ||
| password = "foobarbaz" | ||
| parameter_group_name = "default.mysql5.7" | ||
| skip_final_snapshot = true | ||
| publicly_accessible = true | ||
| } |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0080
Check Name: RDS encryption has not been enabled at a DB Instance level.
Severity: HIGH
Message: Instance does not have storage encryption enabled.
Resolution: Enable encryption for RDS instances
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0080
| password = "foobarbaz" | ||
| parameter_group_name = "default.mysql5.7" | ||
| skip_final_snapshot = true | ||
| publicly_accessible = true |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0082
Check Name: A database resource is marked as publicly accessible.
Severity: CRITICAL
Message: Instance is exposed publicly.
Resolution: Set the database to not be publicly accessible
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0082
| resource "aws_db_instance" "default" { | ||
| allocated_storage = 10 | ||
| engine = "mysql" | ||
| engine_version = "5.7" | ||
| instance_class = "db.t3.micro" | ||
| name = "mydb" | ||
| username = "foo" | ||
| password = "foobarbaz" | ||
| parameter_group_name = "default.mysql5.7" | ||
| skip_final_snapshot = true | ||
| publicly_accessible = true | ||
| } |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0133
Check Name: Enable Performance Insights to detect potential problems
Severity: LOW
Message: Instance does not have performance insights enabled.
Resolution: Enable performance insights
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0133
| resource "aws_db_instance" "default" { | ||
| allocated_storage = 10 | ||
| engine = "mysql" | ||
| engine_version = "5.7" | ||
| instance_class = "db.t3.micro" | ||
| name = "mydb" | ||
| username = "foo" | ||
| password = "foobarbaz" | ||
| parameter_group_name = "default.mysql5.7" | ||
| skip_final_snapshot = true | ||
| publicly_accessible = true | ||
| } |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0176
Check Name: RDS IAM Database Authentication Disabled
Severity: MEDIUM
Message: Instance does not have IAM Authentication enabled
Resolution: Modify the PostgreSQL and MySQL type RDS instances to enable IAM database authentication.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/n/a
| resource "aws_db_instance" "default" { | ||
| allocated_storage = 10 | ||
| engine = "mysql" | ||
| engine_version = "5.7" | ||
| instance_class = "db.t3.micro" | ||
| name = "mydb" | ||
| username = "foo" | ||
| password = "foobarbaz" | ||
| parameter_group_name = "default.mysql5.7" | ||
| skip_final_snapshot = true | ||
| publicly_accessible = true | ||
| } |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0177
Check Name: RDS Deletion Protection Disabled
Severity: MEDIUM
Message: Instance does not have Deletion Protection enabled
Resolution: Modify the RDS instances to enable deletion protection.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/n/a
| password = "foobarbaz" | ||
| parameter_group_name = "default.mysql5.7" | ||
| skip_final_snapshot = true | ||
| publicly_accessible = true |
There was a problem hiding this comment.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0180
Check Name: RDS Publicly Accessible
Severity: HIGH
Message: Instance has Public Access enabled
Resolution: Remove the public endpoint from the RDS instance'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/n/a
No description provided.