Filter by tag: java

Java Security Advent Calendar 2019

1 min read 28 Nov 2019 by Johannes Dahse
The December season starts and it is our tradition at RIPS to announce and release a fun security advent calendar. We added support for the popular Java language to RIPS code analysis and hence this year we will give away a daily Java security challenge. Can you spot the vulnerability?

RIPS 3.3: Scaling Security Testing to Large Teams

5 min read 12 Nov 2019 by Martin Bednorz
RIPS 3.3 is now available! It enables to scale our cutting-edge SAST technology to large teams and applications. Run parallel scans with our new data center edition, increase analysis depth with an improved dependency and framework analysis, and enjoy an upgraded user experience with new notifications, user activity statistics, and a RIPS health check.

Bitbucket 6.1.1 Path Traversal to RCE

6 min read 3 Sep 2019 by Johannes Moritz
Bitbucket is one of the worlds leading version control software allowing millions of developers to manage Git repositories and collaborate on source code. Bitbucket is developed by the Australian software company Atlassian which is also kown for Confluence and Jira. In this blog post we will analyse how a common but often overseen security issue found by RIPS Code Analysis leads to a critical vulnerability in Bitbucket (CVE-2019-3397). The issue is caused by the insecure extraction of a compressed TAR archive.

dotCMS 5.1.5: Exploiting H2 SQL injection to RCE

6 min read 25 Jun 2019 by Johannes Moritz
In this blog post we will show how to exploit a SQL injection vulnerability (CVE-2019-12872) found by RIPS Code Analysis in the popular java-based content management system dotCMS and how we escalated it to execute code remotely.

The Hidden Flaws of Archives in Java

4 min read 29 May 2019 by Johannes Moritz
Archives such as Zip, Tar, Jar or 7z are useful formats to collect and compress multiple files or directories in a container-like structure. However, the extraction of archives can introduce security risks which resulted in multiple critical vulnerabilities in popular applications in the past. In this post we explain the risk behind archive extraction and show how to securely extract archives in Java.