CVE-2020-9X8X
This challenge covers the review of a CVE in a Java codebase and its patch
The Code Review Patch challenges are designed to hone your skills in identifying vulnerabilities by providing both the vulnerable code and the corresponding patch. Initially, you should attempt to find the issue without looking at the patch. If you struggle to identify the problem or wish to verify your findings, you can then examine the patch (the diff file) for confirmation.
For this particular challenge, the emphasis is on how the session is retrieved in the FileStore class of the Apache Catalina project. The code operates by storing and retrieving session data to and from files. The patch introduces a logging mechanism and checks to ensure paths are valid, which mitigates potential security risks associated with session retrieval.