Article - CS428345
Foundation.jar is flagged as having a "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')" by a security checking program (Verascan)
Modified: 03-Oct-2024
Applies To
- Windchill Foundation & PDM 8.0
Description
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
java.lang.Class.forName wt/access/AccessControlHelper.java
65 25 void <clinit>(void)
This call to java.lang.Class.forName() uses reflection in an unsafe manner. An attacker can specify the class name to be instantiated, which may create unexpected control flow paths through the application. Depending on how reflection is being used, the attack vector may allow the attacker to bypass security checks or otherwise cause the application to behave in an unexpected manner. Even if the object does not implement the specified interface and a ClassCastException is thrown, the constructor of the untrusted class name will have already executed. The first argument to forName() contains tainted data. The tainted data originated from an earlier call to java.net.URLConnection.getInputStream. Validate the class name against a combination of white and blocklists to ensure that only expected behavior is produced.
References: CWE (https://cwe.mitre.org/data/definitions/470.html) OWASP (https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection)
65 25 void <clinit>(void)
This call to java.lang.Class.forName() uses reflection in an unsafe manner. An attacker can specify the class name to be instantiated, which may create unexpected control flow paths through the application. Depending on how reflection is being used, the attack vector may allow the attacker to bypass security checks or otherwise cause the application to behave in an unexpected manner. Even if the object does not implement the specified interface and a ClassCastException is thrown, the constructor of the untrusted class name will have already executed. The first argument to forName() contains tainted data. The tainted data originated from an earlier call to java.net.URLConnection.getInputStream. Validate the class name against a combination of white and blocklists to ensure that only expected behavior is produced.
References: CWE (https://cwe.mitre.org/data/definitions/470.html) OWASP (https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection)
This is a printer-friendly version of Article 428345 and may be out of date. For the latest version click CS428345