Test case 156025

Type: source code
State: bad
Author: IARPA STONESOUP Test and Evaluation team
Status: candidate
Language: Java
Application: cpe:2.3:a:bo_zimmerman:coffeemud:5.8:*:*:*:*:*:*:*
Submission Date: 06 Oct 2015

Description

Using Hibernate to execute a dynamic SQL statement with built-in user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

Metadata
-Base program: Coffee MUD
- Source Taint: ENVIRONMENT_VARIABLE
- Data Type: void_pointer
- Data Flow: address_as_function_return_value
- Control Flow: recursive

Flaws

CWE-564 SQL Injection: Hibernate

Test Suites

CoffeeMUD 5.8
IARPA STONESOUP Phase 3 - Test Cases

Documentation

Overview.pdf
Test Case Creation Guide.pdf
Weaknesses Documentation.pdf
TEXAS User Guide.pdf
Communication API Guide.pdf
System Design Document.pdf
Test Generation Report
Kestrel Institute Report.pdf

Have any comments on this test case? Please, send us an email.