Merge pull request #15533 from JLLeitschuh/patch-5

Reduce severity of `java/relative-path-command`
2026-04-26 17:25:19 +02:00 · 2024-02-12 15:04:05 +01:00
parent 75a2b9415c e6623ebe4c
commit b6385f7938
2 changed files with 5 additions and 1 deletions
--- a/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
@@ -4,7 +4,7 @@
 *              malicious changes in the PATH environment variable.
 * @kind problem
 * @problem.severity warning
- * @security-severity 9.8
+ * @security-severity 5.4
 * @precision medium
 * @id java/relative-path-command
 * @tags security
--- a/java/ql/src/change-notes/2024-02-12-relative-exec-severity.md
+++ b/java/ql/src/change-notes/2024-02-12-relative-exec-severity.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The `security-severity` score of the query `java/relative-path-command` has been reduced to better adjust it to the specific conditions needed for exploitation.