Running Veracode on the Spectrum OneClick system shows vulnerabilities CWE ID's 829 and 693
search cancel

Running Veracode on the Spectrum OneClick system shows vulnerabilities CWE ID's 829 and 693

book

Article ID: 373066

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

After running Veracode on the Spectrum OneClick system, we see it identified the following two vulnerabilities:

CWE ID 829 = Inclusion of Functionality from Untrusted Control Sphere

CWE ID 693 = Protection Mechanism Failure

Is Spectrum OneClick affected by these vulnerabilities?

Environment

Version: Spectrum 22.x and 23.x
Component: Vulnerability

Resolution

The fix for CWE 829 is already implemented. We are using the built-in Tomcat filters which does not support Content-Security-Policy(CSP) header yet and we may need to create custom filters to add support for CSP, but with the presence of X-Frame-Options and other HSTS headers it should suffice the need for CSP.

The fix for CWE 693 will be included in 23.3.13 when released.