hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 17:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated text in LoadClassNoSignatureCheck.qhelp

Browse Source
This commit is contained in:
masterofnow
2023-11-12 20:48:49 +08:00
parent fd66f47d82
commit 20592352d0
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.qhelp
View File

@@ -3,9 +3,10 @@
<overview>
<p>
If a vulnerable app obtains the ClassLoader of any app based solely on the package name without checking the package signature
allow attacker to create application with the targeted package name for "package namespace squatting".
If the victim install such malicious app in the same device as the vulnerable app, the vulnerable app would load
If a vulnerable loads classes or code of any app based solely on the package name of the app without
first checking the package signature of the app, this could malicious app with the same package name
to be loaded through "package namespace squatting".
If the victim user install such malicious app in the same device as the vulnerable app, the vulnerable app would load
classes or code from the malicious app, potentially leading to arbitrary code execution.
</p>
</overview>