World-Readable Temp File Exposes Password Hash

When svrAdmin processes `-add <sid> --p` or `-reset <sid> --p`, the salted SHA-256 password hash is appended to the command string and written to a temp file created with File.crea…

SQL Injection via Unchecked DB Name in BSim PostgreSQL Database Drop

PostgresFunctionDatabase concatenates the BSim server's database name directly into a SQL string used to check database existence and then into a DROP DATABASE statement. A server-…

SQL Injection via LSH Vector saveSQL() in BSim Vector Insertion

The storeSignatureRecord() method in PostgresFunctionDatabase constructs a SQL function call by directly interpolating the output of LSHVector.saveSQL() into the query string. If s…

Malicious Ghidra Script in Shared Repository Achieves Analyst Workstation Code Execution

Ghidra scripts (Jython, Java, JShell, PyGhidra) execute in the same OS process as the analyst without sandboxing. If an attacker commits a malicious script to a shared GhidraServer…

TraceRMI Session Spoofing Tampers with Live Debugging State (Repudiation)

Because TraceRMI has no authentication, there is no binding between a debug session and a verified identity. An analyst cannot prove which debug agent (or whether a legitimate agen…

SQL injection via unescaped filter value in BSim search

`atom.value` (user-provided executable name filter text) is concatenated directly into a SQL literal string with no escaping: `buf.append("exetable.name_exec = '").append(atom.valu…

SQL injection via unescaped filter value in BSim MD5 filter

`atom.value` is concatenated directly into a SQL literal: `buf.append("exetable.md5 = '").append(atom.value).append('\'')`.

SQL injection via unescaped filter value in BSim path filter

`atom.value` is concatenated into a SQL `position()` function call without escaping: `buf.append("position( '\'").append(atom.value).append("\' in pathtable.val) = 1")`.

Arbitrary Binary Execution via JAAS Config

`Runtime.getRuntime().exec(cmdArray)` executes an operator-configured binary path (PROGRAM) together with operator-configured arguments (ARG_00…ARG_N) read from the JAAS config fil…

PKI authentication can be bypassed by omitting the signature

`if (sigBytes != null)` on line 143 makes the entire token-signature verification conditional. A client that calls `SignatureCallback.sign(certChain, null)` (as permitted by Signat…

Deserialization Filter Can Be Disabled at Runtime

The GhidraServer's global Java deserialization filter is unconditionally skipped when the system property `ghidra.server.serialization.filter.disabled` is `true`. With no filter in…

Hardcoded 'changeme' JKS Keystore Password

Hardcoded password 'changeme' used as the actual JKS keystore password when creating and loading the self-signed certificate keystore for the Ghidra server's fallback TLS identity.

Hardcoded 'changeme' PostgreSQL Role Password

Hardcoded default password 'changeme' used as the actual PostgreSQL role password when resetting a BSim database user account via `ALTER ROLE … WITH PASSWORD`.

SQL injection via BSim PostgreSQL database name

The database name from `serverInfo.getDBName()` is concatenated directly into SQL queries using string concatenation. The `BSimServerInfo` constructor only validates that `dbName` …

SQL Injection in BSim Executable Name Filter

SQL injection: same pattern as ExecutableNameBSimFilterType. User-supplied `atom.value` is directly interpolated into `exetable.name_exec != '<user_input>'` without escaping. No ov…

SQL Injection in changePassword()

the username field from a PasswordChange query is directly interpolated into ALTER ROLE "<username>" without escaping double-quote characters. An attacker sending a PasswordChange …

DDL injection via unquoted table name in OptionalTable.createTable()

the `name` field (representing a SQL table identifier) is concatenated directly into a `CREATE TABLE` DDL statement and a `GRANT SELECT ON <name> TO PUBLIC` statement without ident…

Path Traversal in External Login Program Resolution

`new File(externalProgram).getAbsoluteFile()` resolves the PROGRAM path against the JVM's current working directory rather than a safe base directory. No subsequent check verifies …

Serialization Filter Bypass via System Property

Invariant violation: "A global Java serialization filter is always installed on the Ghidra Server to block unauthorized class deserialization attacks; the filter rejects all classe…

Authentication Error Messages Leak Internal Details

Invariant violation: "Authentication errors exposed to clients are sanitized: FailedLoginException messages are replaced with 'User authentication failed' and LoginException messag…