CCI-001310

Checks the validity of organization-defined information inputs to the system.

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

3 rules found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

CCI-001310

The A10 Networks ADC, when used for load-balancing web servers, must not allow the HTTP TRACE and OPTIONS methods.

Kona Site Defender must check the validity of all data inputs except those specifically identified by the organization.

The CA API Gateway must check the validity of all data inputs except those specifically identified by the organization.

The DataPower Gateway must check the validity of all data inputs except those specifically identified by the organization.

DB2 must check the validity of all data inputs except those specifically identified by the organization.

DB2 and associated applications must reserve the use of dynamic code execution for situations that require it.

DB2 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

SQL Server must check the validity of all data inputs except those specifically identified by the organization.

The DBMS and associated applications must reserve the use of dynamic code execution for situations that require it.

The DBMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

The Windows 2012 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions.

MongoDB must check the validity of all data inputs except those specifically identified by the organization.

MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it.

The DBMS must check the validity of data inputs.

PostgreSQL must check the validity of all data inputs except those specifically identified by the organization.

PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it.

PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

The EDB Postgres Advanced Server must check the validity of all data inputs except those specifically identified by the organization.

The EDB Postgres Advanced Server and associated applications must reserve the use of dynamic code execution for situations that require it.

The EDB Postgres Advanced Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

The BIG-IP ASM module must check the validity of all data inputs except those specifically identified by the organization.

The BIG-IP Core implementation must be configured to check the validity of all data inputs except those specifically identified by the organization.

IDMS must check the validity of all data input unless the organization says otherwise.

CA IDMS must permit the use of dynamic code execution only in circumstances determined by the organization and limit use of online and batch command facilities from which dynamic statements can be issued.

CA IDMS must limit the use of dynamic statements in applications, procedures, and exits to circumstances determined by the organization.

CA IDMS must limit use of IDMS server used in issuing dynamic statements from client applications circumstances determined by the organization.

CA IDMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

The DNS server implementation must check the validity of all data inputs except those specifically identified by the organization.

The F5 BIG-IP appliance must check the validity of all data inputs except those specifically identified by the organization.

Azure SQL Database must check the validity of all data inputs except those specifically identified by the organization.

The Azure SQL Database and associated applications must reserve the use of dynamic code execution for situations that require it.

The Azure SQL Database and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

Directory Browsing on the IIS 10.0 web server must be disabled.

Directory Browsing on the IIS 10.0 website must be disabled.

The Windows DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, including IP ranges and IP versions.

The MySQL Database Server 8.0 must check the validity of all data inputs except those specifically identified by the organization.

The MySQL Database Server 8.0 and associated applications must reserve the use of dynamic code execution for situations that require it.

The MySQL Database Server 8.0 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

Redis Enterprise DBMS and associated applications must reserve the use of dynamic code execution for situations that require it.

Redis Enterprise DBMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

The Automation Controller NGINX web server must limit the character set used for data entry.

The web server must limit the character set used for data entry.

The web server must interpret and normalize ambiguous HTTP requests or terminate the TCP connection.

The web server must terminate the connection if server-level exceptions are triggered when handling requests to prevent HTTP request smuggling attacks.

The application server must check the validity of all data inputs to the management interface, except those specifically identified by the organization.

The ALG must check the validity of all data inputs except those specifically identified by the organization.

The application must protect from Cross-Site Scripting (XSS) vulnerabilities.

The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.

The application must protect from command injection.

The application must protect from canonical representation vulnerabilities.

The application must validate all input.

The application must not be vulnerable to SQL Injection.

The application must not be vulnerable to XML-oriented attacks.

The DBMS must check the validity of all data inputs except those specifically identified by the organization.

The IDPS must, for fragmented packets, either block the packets or properly reassemble the packets before inspecting and forwarding.

The Mainframe Product must check the validity of all data inputs except those specifically identified by the organization.

MariaDB must check the validity of all data inputs except those specifically identified by the organization.

MariaDB and associated applications must reserve the use of dynamic code execution for situations that require it.

MariaDB and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

The UEM server must check the validity of all data inputs.

The VMM must check the validity of all data inputs except those specifically identified by the organization.

ESX Agent Manager must set URIEncoding to UTF-8.

ESX Agent Manager must use the "setCharacterEncodingFilter" filter.

VAMI must set the encoding for all text Multipurpose Internet Mail Extensions (MIME) types to UTF-8.

Lookup Service must set URIEncoding to UTF-8.

Performance Charts must set "URIEncoding" to UTF-8.

Performance Charts must use the "setCharacterEncodingFilter" filter.

The vCenter ESX Agent Manager service must set URIEncoding to UTF-8.

The vCenter ESX Agent Manager service must configure the "setCharacterEncodingFilter" filter.

The Security Token Service must set "URIEncoding" to UTF-8.

The Security Token Service must use the "setCharacterEncodingFilter" filter.

The vCenter Lookup service must set URIEncoding to UTF-8.

The vCenter Lookup service must configure the "setCharacterEncodingFilter" filter.

vSphere UI must set URIEncoding to UTF-8.

The vCenter Perfcharts service must set URIEncoding to UTF-8.

The vCenter Perfcharts service must configure the "setCharacterEncodingFilter" filter.

The vCenter STS service must set URIEncoding to UTF-8.

The vCenter STS service must configure the "setCharacterEncodingFilter" filter.

The vCenter UI service must set URIEncoding to UTF-8.