Merge pull request github#15533 from JLLeitschuh/patch-5

atorralba · web-flow · commit b6385f79384a · 2024-02-12T15:04:05.000+01:00
Reduce severity of `java/relative-path-command`
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql b/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
@@ -4,7 +4,7 @@
  *              malicious changes in the PATH environment variable.
  * @kind problem
  * @problem.severity warning
- * @security-severity 9.8
+ * @security-severity 5.4
  * @precision medium
  * @id java/relative-path-command
  * @tags security
diff --git a/java/ql/src/change-notes/2024-02-12-relative-exec-severity.md b/java/ql/src/change-notes/2024-02-12-relative-exec-severity.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The `security-severity` score of the query `java/relative-path-command` has been reduced to better adjust it to the specific conditions needed for exploitation.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: queryMetadata
 +---
 +* The `security-severity` score of the query `java/relative-path-command` has been reduced to better adjust it to the specific conditions needed for exploitation.