Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 16.0.0, Meridian-2016.1.1
-
Fix Version/s: 20.0.2, Meridian-2016.1.6, Meridian-2017.1.0
-
Component/s: Database, Web UI - Dashboard
-
Security Level: Default (Default Security Scheme)
-
Labels:None
-
Sprint:Horizon - July 12th
Description
DefaultSurveillanceViewService uses a CriteriaBuilder.sql() call to filter on category names but the names are not parameterized or escaped so this is a possible SQL injection site.
We should refactor this to avoid manually constructing the SQL query string.
The behavior was introduced in commit 62f4577d57177d1688ed91aa9d0738fa62b57486:
https://github.com/OpenNMS/opennms/commit/62f4577d57177d1688ed91aa9d0738fa62b57486
Attachments
Issue Links
- depends on
-
NMS-9480 Add parameterized SQL support to Criteria API
-
- Resolved
-