IBM / ibm-cos-sdk-java

ibm-cos-sdk-java

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SAST : CrossSiteScripting

JyothiBacham opened this issue · comments

Thank you for your report. Could you provide more explanation? You cited the description of CVE-2021-31684, a library the SDK does not depend on, and posted screenshots of a call tree for a separate item.

Hi @IBMeric .. sorry please ignore the description provided previously.. I have deleted that. There is a risk of CrossSiteScripting at line 132 of AWSsigner is what our AppScan report says. Attaching more details on the risk and recommendations here.

Hi.. any update on this please

This issue is present in upstream and is for v3 signatures that COS does not support. Clients should use IAM tokens or v4 signatures.