Skip to content

ascanrules: SQLi SQLite rename scan rule (all time based) #6554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 17, 2025
Merged

ascanrules: SQLi SQLite rename scan rule (all time based) #6554

merged 1 commit into from
Jul 17, 2025

Conversation

kingthorin
Copy link
Member

@kingthorin kingthorin commented Jul 3, 2025
edited
Loading

Overview

The SQL Injection SQLite scan rule has been renamed to indicate that it currently only does time based tests (Issue 7341).

The union test code that it previously contained but wasn't using has been removed. If it is re-implemented sometime in the future that rule should use rule ID 90038.

Related Issues

@kingthorin kingthorin force-pushed the sqli-sqlite-split branch 2 times, most recently from 3d50e7e to 05f11cf Compare July 3, 2025 14:55
@psiinon
Copy link
Member

psiinon commented Jul 3, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Details48a070dc-9ec7-4dc8-a0b8-08c880ed2246

New Issues (4)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
MEDIUM CVE-2025-53864 Maven-com.google.code.gson:gson-2.8.5
detailsDescription: Connect2id Nimbus JOSE + JWT allows a remote attacker to cause a Denial-of-Service (DoS) via a deeply nested JSON object supplied in a JWT claim se...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: adVK7zSuCsxIRtahouzaRyMLFuH%2FCFX1%2Bv1vm1sbrbw%3D
Vulnerable Package
MEDIUM CVE-2025-53864 Maven-com.google.code.gson:gson-2.3.1
detailsDescription: Connect2id Nimbus JOSE + JWT allows a remote attacker to cause a Denial-of-Service (DoS) via a deeply nested JSON object supplied in a JWT claim se...
Attack Vector: NETWORK
Attack Complexity: LOW
Exploitable Path: [email protected]/JsonPayloadGenerator.java - ... - [email protected]/gson/stream/JsonReader.java

ID: H2aqxaR1aaTZVxokUmAa%2FzfVxqasZq%2BhEjvqHRiPirg%3D
Vulnerable Package
MEDIUM CVE-2025-53864 Maven-com.google.code.gson:gson-2.10.1
detailsRecommended version: 2.12.0
Description: Connect2id Nimbus JOSE + JWT allows a remote attacker to cause a Denial-of-Service (DoS) via a deeply nested JSON object supplied in a JWT claim se...
Attack Vector: NETWORK
Attack Complexity: LOW
Exploitable Path: [email protected]/JsonPayloadGenerator.java - ... - [email protected]/gson/stream/JsonReader.java

ID: qoQAYl0KYqKEYGUpigip%2Fwiol3Jqe%2BYZlOMVd2fuS7o%3D
Vulnerable Package
MEDIUM CVE-2025-53864 Maven-com.google.code.gson:gson-2.11.0
detailsRecommended version: 2.12.0
Description: Connect2id Nimbus JOSE + JWT allows a remote attacker to cause a Denial-of-Service (DoS) via a deeply nested JSON object supplied in a JWT claim se...
Attack Vector: NETWORK
Attack Complexity: LOW
Exploitable Path: [email protected]/JsonPayloadGenerator.java - ... - [email protected]/gson/stream/JsonReader.java

ID: v%2BrbtPy5JGlv8%2Bn6%2BXzCZsp%2BrNr9AfYx7lPwyk7QjEA%3D
Vulnerable Package

@kingthorin kingthorin force-pushed the sqli-sqlite-split branch from 05f11cf to 8dba17b Compare July 7, 2025 16:36
@kingthorin kingthorin force-pushed the sqli-sqlite-split branch 7 times, most recently from 7897ddb to 9ceb537 Compare July 16, 2025 15:04
@kingthorin kingthorin changed the title ascanrules: SQLi SQLite split timing tests to new scan rule ascanrules: SQLi SQLite rename scan rule (all time based) Jul 16, 2025
@kingthorin kingthorin force-pushed the sqli-sqlite-split branch 3 times, most recently from 0134d42 to 7d903e9 Compare July 16, 2025 15:19
@thc202
Copy link
Member

thc202 commented Jul 17, 2025

Thank you!

@thc202 thc202 requested a review from psiinon July 17, 2025 10:23
@thc202 thc202 merged commit fa9bc85 into zaproxy:main Jul 17, 2025
8 of 9 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Jul 17, 2025
@kingthorin kingthorin deleted the sqli-sqlite-split branch July 17, 2025 10:50
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@thc202 thc202 thc202 approved these changes

@psiinon psiinon psiinon approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kingthorin @psiinon @thc202