CWE-918,带Spring @Values 参数你没有提供太多关于所谓漏洞的细节,但从远处看,这看起来像是一个假阳性。如果这些属性是从最终用户(也就是攻击者)无法访问的配置文件中读取的,则不存在漏洞。换句话说,如果攻击者需要访问您服务器上的本地文件以更改这些值,那么他们一旦获得此类访问权限就可以这样做,这是您最不关心的问题。
Veracode Static Analysis reports flaws of CWE-918 Server-Side Request Forgery (SSRF) when it detects a HTTP Request that is sent out from the application, containing input from outside of the application (for example from a HTTP Request, a value from a file, a database result, webservice ...
References Burp Collaborator Vulnerability classifications CWE-610: Externally Controlled Reference to a Resource in Another Sphere CWE-918: Server-Side Request Forgery (SSRF) 1.1. https://127.0.0.1:8010/ Summary Severity: High Confidence: Certain Host: https://127.0.0.1:8010 Path: / Issue detail...
What a concept — a case that gives you two looks to choose from depending on the day. In the box are a frame and two interchangeable backplates (one clear and one card slot) so you can easily change things up when you want to.§ §Card slot only fits one card. Easy...