CWE-499 Java Questions (UNCLASSIFIED)

2021-08-26 Thread Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA)
CLASSIFICATION: UNCLASSIFIED We played with CWE-499 for a while and couldn't get variables that don't explicitly disable serialization to serialize (a statement in the CWE and implied by the example) without using reflection; however, using reflection, you can change the scope of internal

CWE Clarification: CWE-1007 and Homoglphys in Source Code

2021-11-30 Thread Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA)
Currently, CWE-1007 is a child of UI misrepresentation. However, source code can be maliciously injected using bidi and Unicode homoglyphs as well (see https://www.swatips.com/articles/20211129.html and https://arxiv.org/abs/2111.00169 and the examples under

RE: [Non-DoD Source] Is there a CWE for this?

2022-07-03 Thread Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA)
I see what you’re saying about the CWE-14[0-6] family being pretty limited to input processing when the issue could exist because of input or malformed output. Perhaps changing these to input/output would be more inclusive of this type of issue. Good catch. From: Kurt Seifried Sent: