AAE Client 11.3.4 Veracode Report
Uploaded by
tg82770AAE Client 11.3.4 Veracode Report
Uploaded by
tg82770Veracode Detailed Report
Application Security Report
As of 4 Dec 2019
Prepared for: Automation Anywhere
Prepared on: December 5, 2019
Application: Automation Anywhere Enterprise
Sandbox: 11.3.4_Client_Release
Industry: Software
Business Criticality: BC5 (Very High)
Required Analysis: Manual Penetration Test, Static
Type(s) of Analysis Conducted: Static
Scope of Static Scan: 74 of 193 Modules Analyzed
Inside This Report
Executive Summary 1
Summary of Flaws by Severity 1
Action Items 1
Flaw Types by Category 11
Policy Summary 12
Findings & Recommendations 14
Flaws in Common Modules 17
Methodology 22
While every precaution has been taken in the preparation of this document, Veracode, Inc. assumes no responsibility for errors, omissions, or for
damages resulting from the use of the information herein. The Veracode platform uses static and/or dynamic analysis techniques to discover
potentially exploitable flaws. Due to the nature of software security testing, the lack of discoverable flaws does not mean the software is 100%
secure.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Veracode Detailed Report Mitigated Veracode Level: VL5
Application Security Report Original Veracode Level: VL1
Rated: Dec 4, 2019
As of 4 Dec 2019
Application: Automation Anywhere Business Criticality: Very High
Enterprise
Target Level: VL5 Adjusted/Published Rating: A*/D
Scans Included in Report
Static Scan Dynamic Scan Manual Penetration Test
8_2019-12-04-20:46:37-client Not Included in Report Not Included in Report
Score: 98
Completed: 12/4/19
Executive Summary
This report contains a summary of the security flaws identified in the application using manual penetration testing, automated static
and/or automated dynamic security analysis techniques. This is useful for understanding the overall security quality of an individual
application or for comparisons between applications.
Application Business Criticality: BC5 (Very High) Summary of Flaws Found by Severity
Impacts:Operational Risk (High), Financial Loss (High)
An application's business criticality is determined by business
risk factors such as: reputation damage, financial loss,
operational risk, sensitive information disclosure, personal safety,
and legal violations. The Veracode Level and required
assessment techniques are selected based on the policy
assigned to the application.
Analyses Performed vs. Required
Manual Penetration
Dynamic
Static
Test
Any
Performed:
Required:
Action Items:
Veracode recommends the following approaches ranging from the most basic to the strong security measures that a vendor can
undertake to increase the overall security level of the application.
Required Analysis
Your policy requires Manual Penetration Test but it has not been performed. Please submit your application for Manual
Penetration Test and remediate the required detected flaws to conform to your assigned policy.
Your policy requires periodic Static Scan. Your next analysis must be completed by 3/4/20. Please submit your application
for Static Scan by the deadline and remediate the required detected flaws to conform to your assigned policy.
Flaw Severities
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 1 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Medium severity flaws and above must be fixed for policy compliance.
Longer Timeframe (6 - 12 months)
Certify that software engineers have been trained on application security principles and practices.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 2 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Application Trend Data
Scope of Static Scan
The following modules were included in the static scan because the scan submitter selected them as entry points, which are modules that accept external data.
Engine Version: 20191108174706
The following modules were included in the application scan:
Module Name Compiler Operating Environment Engine
Version
AA.DiagnosticUtility.exe MSIL_MSVC14_X86 Win32 2019110817
4706
AA.EditorX.Controller.dll MSIL_MSVC14_X86 Win32 2019110817
4706
AA.EditorX.UI.dll MSIL_MSVC14_X86 Win32 2019110817
4706
AA.RemoteAgent.exe MSIL_MSVC14_X86 Win32 2019110817
4706
AA.SchemaXML.dll MSIL_MSVC14_X86 Win32 2019110817
4706
AAAutoLoginService.exe MSIL_MSVC14_X86 Win32 2019110817
4706
AAAvatarAccessibilityBridge.dll MSIL_MSVC14_X86 Win32 2019110817
4706
AAClientService.exe MSIL_MSVC14_X86 Win32 2019110817
4706
AAESchedulerService.exe MSIL_MSVC14_X86 Win32 2019110817
4706
AAMetaBotDesigner.exe MSIL_MSVC14_X86 Win32 2019110817
4706
AANotification.exe MSIL_MSVC14_X86 Win32 2019110817
4706
AAPlayer.exe MSIL_MSVC14_X86 Win32 2019110817
4706
AAPluginInstallation.exe MSIL_MSVC14_X86 Win32 2019110817
4706
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 3 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Module Name Compiler Operating Environment Engine
Version
AAProxyServer.exe MSIL_MSVC14_X86 Win32 2019110817
4706
AASilverlightInjector.exe MSIL_MSVC14_X86 Win32 2019110817
4706
AATerminalEmulator.exe MSIL_MSVC14_X86 Win32 2019110817
4706
AAWindowTheme.dll MSIL_MSVC11_X86 Win32 2019110817
4706
AAWorkbench.exe MSIL_MSVC14_X86 Win32 2019110817
4706
Automation Anywhere.exe MSIL_MSVC14_X86 Win32 2019110817
4706
Automation HelpViewer.exe MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.ABBYYPlugin.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.AutoLoginHelper.exe MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.BrowserAgent.exe MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.ChatViewer.exe MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.CitrixDriver.dll MSVC14_X86 Win32 2019110817
4706
Automation.Client.Contracts.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Client.DeploymentService.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Client.ServerCommunication.d MSIL_MSVC14_X86 Win32 2019110817
ll 4706
Automation.Client.Shared.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.ClientConfigurationService.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Commands.Common.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Common.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Core.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.CR.ClientSdk.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.CR.Communication.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.CredentialProvider_v11.dll MSVC14_X86 Win32 2019110817
4706
Automation.CustomControls.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Engine.Command.dll MSIL_MSVC14_X86 Win32 2019110817
4706
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 4 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Module Name Compiler Operating Environment Engine
Version
Automation.EventWatcher.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.FipsData.Migration.exe MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Generic.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.ImageAlgorithm.dll MSVC14_X86 Win32 2019110817
4706
Automation.Imaging.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.InternetExplorerAddIn.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.JavaBridge-32.dll MSVC14_X86 Win32 2019110817
4706
Automation.JavaBridge-64.dll MSVC14_X86_64 Win64 2019110817
4706
Automation.JavaBridge.dll MSVC14_X86 Win32 2019110817
4706
Automation.Legacy.NativeAPI.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.MetaBot.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Metabot.Engine.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.MODIPlugin.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Notification.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.ObjectAccessibility.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Plugins.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Plugins.Engines.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Plugins.PdfBox.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Recorder.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.RemoteClient.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.RemoteService.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.RestService.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.SAP.Integration.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.SchedulerLibrary.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.SilverlightPlugin.dll MSIL_MSVC11_X86 Win32 2019110817
4706
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 5 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Module Name Compiler Operating Environment Engine
Version
Automation.Skins.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Automation.SSO.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Tesseract4.dll MSVC14_X86 Win32 2019110817
4706
Automation.TesseractPlugin.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.TOCRPlugin.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.Util.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Automation.WorkflowManager.dll MSIL_MSVC14_X86 Win32 2019110817
4706
AutomationEventWatcher.exe MSIL_MSVC14_X86 Win32 2019110817
4706
RegisteredDll.exe MSIL_MSVC14_X86 Win32 2019110817
4706
RemoteClientViewer.exe MSIL_MSVC14_X86 Win32 2019110817
4706
ReportManager.exe MSIL_MSVC14_X86 Win32 2019110817
4706
The following modules were not selected for a full scan. Code paths in these modules that are not called from a scanned module are
not included in this report.
Module Name Compiler Operating Environment Engine
Version
AForge.dll MSIL_MSVC8_X86 Win32 2019110817
4706
AForge.Imaging.dll MSIL_MSVC8_X86 Win32 2019110817
4706
at386.dll MSVC9_X86 Win32 2019110817
4706
attach.dll MSVC10_X86 Win32 2019110817
4706
AutoMapper.dll MSIL_MSVC14_X86 Win32 2019110817
4706
AxInterop.TTW4AXLib.dll MSIL_MSVC11_X86 Win32 2019110817
4706
AxInterop.WFICALib.dll MSIL_MSVC11_X86 Win32 2019110817
4706
BCProv.JDK15on.dll MSIL_MSVC8_X86 Win32 2019110817
4706
BouncyCastle.OpenPgp.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Commons.Logging.dll MSIL_MSVC8_X86 Win32 2019110817
4706
Cybele.TNBridge.dll BORLAND_DELPHI Win32 2019110817
4706
DevExpress.Charts.v14.1.Core.dll MSIL_MSVC11_X86 Win32 2019110817
4706
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 6 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Module Name Compiler Operating Environment Engine
Version
DevExpress.Data.v14.1.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.PivotGrid.v14.1.Core.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.Printing.v14.1.Core.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.Utils.v14.1.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.XtraBars.v14.1.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.XtraCharts.v14.1.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.XtraCharts.v14.1.UI.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.XtraCharts.v14.1.Wizard.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.XtraEditors.v14.1.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.XtraGrid.v14.1.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.XtraLayout.v14.1.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.XtraNavBar.v14.1.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.XtraPivotGrid.v14.1.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.XtraPrinting.v14.1.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DevExpress.XtraTreeList.v14.1.dll MSIL_MSVC11_X86 Win32 2019110817
4706
DiffUtils.dll MSIL_MSVC8_X86 Win32 2019110817
4706
Fontbox.dll MSIL_MSVC8_X86 Win32 2019110817
4706
FTP.dll MSVC9_X86 Win32 2019110817
4706
GetWord.dll MSVC10_X86 Win32 2019110817
4706
GetWord_x64.dll MSVC10_X86_64 Win64 2019110817
4706
GetWord_x64.exe MSVC10_X86_64 Win64 2019110817
4706
GetWordNT.dll MSVC10_X86 Win32 2019110817
4706
GetWordNT_x64.dll MSVC10_X86_64 Win64 2019110817
4706
Granados.dll MSIL_MSVC11_X86 Win32 2019110817
4706
HamcREST.Core.dll MSIL_MSVC8_X86 Win32 2019110817
4706
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 7 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Module Name Compiler Operating Environment Engine
Version
ibm3270.dll MSVC9_X86 Win32 2019110817
4706
ibm5250.dll MSVC9_X86 Win32 2019110817
4706
ICSharpCode.SharpZipLib.dll MSIL_MSVC8_X86 Win32 2019110817
4706
IKVM.Reflection.dll MSIL_MSVC8_X86 Win32 2019110817
4706
Interop.Accessibility.dll MSIL_MSVC8_X86 Win32 2019110817
4706
Interop.ADODB.dll MSIL_MSVC8_X86 Win32 2019110817
4706
Interop.CDO.dll MSIL_MSVC8_X86 Win32 2019110817
4706
Interop.CHILKATSSHLib.dll MSIL_MSVC8_X86 Win32 2019110817
4706
Interop.FREngine.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Interop.FREngine_v12.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Interop.MODI.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Interop.olelib.dll MSIL_MSVC8_X86 Win32 2019110817
4706
Interop.SAPFEWSELib.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Interop.SapROTWr.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Interop.TDAPIOLELib.dll MSIL_MSVC8_X86 Win32 2019110817
4706
Interop.TTW4AXLib.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Interop.WFICALib.dll MSIL_MSVC11_X86 Win32 2019110817
4706
ipworks16.dll MSVC9_X86 Win32 2019110817
4706
ipworksssh16.dll MSVC9_X86 Win32 2019110817
4706
ipworksws16.dll MSVC9_X86 Win32 2019110817
4706
JavaAccessBridge-32.dll MSVC10_X86 Win32 2019110817
4706
JavaAccessBridge-64.dll MSVC10_X86_64 Win64 2019110817
4706
JavaAccessBridge.dll MSVC10_X86 Win32 2019110817
4706
JAWTAccessBridge-32.dll MSVC10_X86 Win32 2019110817
4706
JAWTAccessBridge-64.dll MSVC10_X86_64 Win64 2019110817
4706
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 8 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Module Name Compiler Operating Environment Engine
Version
JAWTAccessBridge.dll MSVC10_X86 Win32 2019110817
4706
jcl-over-slf4j-1.7.6.dll MSIL_MSVC8_X86 Win32 2019110817
4706
JniGetWord.dll MSVC10_X86 Win32 2019110817
4706
leptonica-1.74.1.dll MSVC14_X86 Win32 2019110817
4706
liblept171.dll MSVC14_X86 Win32 2019110817
4706
LightInject.dll MSIL_MSVC14_X86 Win32 2019110817
4706
LightInject.ServiceLocation.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Microsoft.WindowsAPICodePack.dll MSIL_MSVC14_X86 Win32 2019110817
4706
MindFusion.Barcodes.dll MSIL_MSVC11_X86 Win32 2019110817
4706
MindFusion.Common.dll MSIL_MSVC11_X86 Win32 2019110817
4706
MindFusion.Common.WinForms.dll MSIL_MSVC11_X86 Win32 2019110817
4706
MindFusion.Diagramming.dll MSIL_MSVC11_X86 Win32 2019110817
4706
MindFusion.Diagramming.WinForms.Contr MSIL_MSVC11_X86 Win32 2019110817
ols.dll 4706
MindFusion.Diagramming.WinForms.dll MSIL_MSVC11_X86 Win32 2019110817
4706
MindFusion.Graphs.dll MSIL_MSVC11_X86 Win32 2019110817
4706
MindFusion.Licensing.dll MSIL_MSVC11_X86 Win32 2019110817
4706
MindFusion.Scripting.dll MSIL_MSVC11_X86 Win32 2019110817
4706
MindFusion.Svg.dll MSIL_MSVC11_X86 Win32 2019110817
4706
opencv_calib3d342.dll MSVC14_X86 Win32 2019110817
4706
opencv_core342.dll MSVC14_X86 Win32 2019110817
4706
opencv_highgui342.dll MSVC14_X86 Win32 2019110817
4706
opencv_imgcodecs342.dll MSVC14_X86 Win32 2019110817
4706
opencv_imgproc342.dll MSVC14_X86 Win32 2019110817
4706
opencv_objdetect342.dll MSVC14_X86 Win32 2019110817
4706
opencv_videoio342.dll MSVC14_X86 Win32 2019110817
4706
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 9 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Module Name Compiler Operating Environment Engine
Version
PdfBox.dll MSIL_MSVC8_X86 Win32 2019110817
4706
pdfium.dll MSVC14_X86 Win32 2019110817
4706
PdfiumViewer.dll MSIL_MSVC14_X86 Win32 2019110817
4706
Poderosa.Core.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Poderosa.Plugin.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Poderosa.PortForwardingCommand.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Poderosa.Protocols.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Poderosa.TerminalControl.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Poderosa.TerminalEmulator.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Poderosa.TerminalSession.dll MSIL_MSVC11_X86 Win32 2019110817
4706
Poderosa.UI.dll MSIL_MSVC11_X86 Win32 2019110817
4706
sapnco.dll MSIL_MSVC8_X86 Win32 2019110817
4706
sapnco_utils.dll MSIL_CPP_MSVC8_X86 Win32 2019110817
4706
sas.dll MSVC9_X86_64 Win64 2019110817
4706
sas1.dll MSVC9_X86 Win32 2019110817
4706
SharpSnmpLib.Full.dll MSIL_MSVC14_X86 Win32 2019110817
4706
SharpSnmpLib.Portable.dll MSIL_MSVC14_X86 Win32 2019110817
4706
SQLite.Interop.dll MSVC14_X86 Win32 2019110817
4706
ssh.dll MSVC9_X86 Win32 2019110817
4706
stcp.dll MSVC9_X86 Win32 2019110817
4706
SystemWrapper.dll MSIL_MSVC8_X86 Win32 2019110817
4706
telnet.dll MSVC9_X86 Win32 2019110817
4706
tesseract400.dll MSVC14_X86 Win32 2019110817
4706
ttw4ax.dll MSVC9_X86 Win32 2019110817
4706
ttw4gui.dll MSVC9_X86 Win32 2019110817
4706
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 10 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Module Name Compiler Operating Environment Engine
Version
ttw4prod.dll MSVC9_X86 Win32 2019110817
4706
ttw4ver.dll MSVC9_X86 Win32 2019110817
4706
vt.dll MSVC9_X86 Win32 2019110817
4706
WebSocket4Net.dll MSIL_MSVC8_X86 Win32 2019110817
4706
WindowsAccessBridge-32.dll MSVC10_X86 Win32 2019110817
4706
WindowsAccessBridge-64.dll MSVC10_X86_64 Win64 2019110817
4706
WindowsAccessBridge.dll MSVC10_X86 Win32 2019110817
4706
Flaw Types by Severity and Category
Static Scan
Security Quality Score =
98
from prior scan
Very High 0*
High 0*
Medium 0*
Low 12*
Code Quality 6
Information Leakage 6*
Very Low 0
Informational 0
Total 12*
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 11 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Policy Evaluation
Policy Name: Veracode Recommended Very High
Revision: 1
Policy Status: Not Assessed
Description
Veracode provides default policies to make it easier for organizations to begin measuring their applications against policies. Veracode
Recommended Policies are available for customers as an option when they are ready to move beyond the initial bar set by the
Veracode Transitional Policies. The policies are based on the Veracode Level definitions.
Rules
Rule type Requirement Findings Status
Minimum Veracode Level VL5 VL5* Passed
(VL5) Min Analysis Score 90 98* Passed
(VL5) Max Severity Medium Flaws found: 0* Passed
* - Reflects violated rules that have mitigated flaws
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 12 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Unsupported Frameworks
This report may have incomplete results based on the following unsupported frameworks identified during the static scan:
* AutoMapper
The lack of support for all frameworks in use by this application and/or its supporting libraries may prevent the static discovery of some
flaws in the application, however, it does not invalidate the flaws that were found.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 13 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Findings & Recommendations
Detailed Flaws by Severity
Very High (0 flaws*) Fix Required by Policy.
No flaws of this type were found
High (0 flaws*) Fix Required by Policy.
No flaws of this type were found
Medium (0 flaws*) Fix Required by Policy.
No flaws of this type were found
Low (12 flaws*)
Code Quality(6 flaws)
Description
Code quality issues stem from failure to follow good coding practices and can lead to unpredictable behavior. These may
include but are not limited to:
* Neglecting to remove debug code or dead code
* Improper resource management, such as using a pointer after it has been freed
* Using the incorrect operator to compare objects
* Failing to follow an API or framework specification
* Using a language feature or API in an unintended manner
While code quality flaws are generally less severe than other categories and usually are not directly exploitable, they may
serve as indicators that developers are not following practices that increase the reliability and security of an application. For
an attacker, code quality issues may provide an opportunity to stress the application in unexpected ways.
Recommendations
The wide variance of code quality issues makes it impractical to generalize how these issues should be addressed. Refer to
individual categories for specific recommendations.
Associated Flaws by CWE ID:
Improper Resource Shutdown or Release (CWE ID 404)(6 flaws)
Description
The application fails to release (or incorrectly releases) a system resource before it is made available for re-use. This
condition often occurs with resources such as database connections or file handles. Most unreleased resource issues
result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, it may be
possible to launch a denial of service attack by depleting the resource pool.
Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
Recommendations
When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as
accounting for all potential paths of expiration or invalidation. Ensure that all code paths properly release resources.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 14 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Instances found via Static Scan
Flaw Id Module # Class # Module Location Fix By
6317 34 - automationeventwat dev/.../email classes/imapclass.cs 144
cher.exe#12.0.0.0
16367 36 - automation.cr.client dev/.../jsonserializer.cs 31
sdk.dll
3656 52 - automation.schedul dev/.../schedulerlogic/routines.cs 371
erlibrary.dll
5656 54 - aaplayer.exe#12.3.0 .../serializedeserialize.cs 39
.0
30954 55 - reportmanager.exe# dev/.../smartrecorderbase.cs 1753
11.0.2.0/aa.editorx.
ui.dll/automation.co
mmands.common.dl
l
34392 56 - aa.editorx.ui.dll dev/.../soaprequestbody.cs 123
Information Leakage(6 flaws*)
Description
An information leak is the intentional or unintentional disclosure of information that is either regarded as sensitive within the
product's own functionality or provides information about the product or its environment that could be useful in an attack.
Information leakage issues are commonly overlooked because they cannot be used to directly exploit the application.
However, information leaks should be viewed as building blocks that an attacker uses to carry out other, more complicated
attacks.
There are many different types of problems that involve information leaks, with severities that can range widely depending on
the type of information leaked and the context of the information with respect to the application. Common sources of
information leakage include, but are not limited to:
* Source code disclosure
* Browsable directories
* Log files or backup files in web-accessible directories
* Unfiltered backend error messages
* Exception stack traces
* Server version information
* Transmission of uninitialized memory containing sensitive data
Recommendations
Configure applications and servers to return generic error messages and to suppress stack traces from being displayed to end
users. Ensure that errors generated by the application do not provide insight into specific backend issues.
Remove all backup files, binary archives, alternate versions of files, and test files from web-accessible directories of production
servers. The only files that should be present in the application's web document root are files required by the application.
Ensure that deployment procedures include the removal of these file types by an administrator. Keep web and application
servers fully patched to minimize exposure to publicly-disclosed information leakage vulnerabilities.
Associated Flaws by CWE ID:
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 15 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Information Exposure Through Sent Data (CWE ID 201)(6 flaws*)
Description
Sensitive information may be exposed as a result of outbound network connections made by the application.
Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
Recommendations
Ensure that the transfer of sensitive data is intended and that it does not violate application security policy or user
expectations.
Instances found via Static Scan
Flaw Id Module # Class # Module Location Fix By
6947 34 - automationeventwat dev/.../email classes/imapclass.cs 119
cher.exe#12.0.0.0
6948 34 - automationeventwat dev/.../email classes/imapclass.cs 430
cher.exe#12.0.0.0
42066 44 - aaplugininstallation. dev/.../plugincommon.cs 388
exe#11.1.0.0
6946 45 - automationeventwat dev/.../pop3client.cs 131
cher.exe#12.0.0.0
6939 45 - automationeventwat dev/.../pop3client.cs 510
cher.exe#12.0.0.0
6940 45 - automationeventwat dev/.../pop3client.cs 538
cher.exe#12.0.0.0
Very Low (0 flaws)
No flaws of this type were found
Info (0 flaws)
No flaws of this type were found
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 16 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaws in Common Modules
This section highlights the score impact of flaws in common modules in this application.
Module: Automation.Generic.dll Used by 55 executables; score impact: 53
Location Severity # Instances Flaw Category CWE ID Exploitability
processinvoker.cs 150 5 2 OS Command Injection 78 Likely
processinvoker.cs 155 5 15 OS Command Injection 78 Likely
fileoperations.cs 28 3 23 Directory Traversal 73 Likely
fileoperations.cs 33 3 36 Directory Traversal 73 Likely
fileoperations.cs 38 3 23 Directory Traversal 73 Likely
fileoperations.cs 43 3 14 Directory Traversal 73 Likely
fileoperations.cs 48 3 14 Directory Traversal 73 Likely
fileoperations.cs 54 3 9 Directory Traversal 73 Likely
fileoperations.cs 73 3 9 Directory Traversal 73 Likely
fileoperations.cs 78 3 5 Directory Traversal 73 Likely
fileoperations.cs 83 3 37 Directory Traversal 73 Likely
fileoperations.cs 88 3 22 Directory Traversal 73 Likely
fileoperations.cs 94 3 29 Directory Traversal 73 Likely
fileoperations.cs 100 3 1 Directory Traversal 73 Likely
fileoperations.cs 106 3 32 Directory Traversal 73 Likely
fileoperations.cs 111 3 38 Directory Traversal 73 Likely
fileoperations.cs 116 3 38 Directory Traversal 73 Likely
fileoperations.cs 121 3 37 Directory Traversal 73 Likely
fileoperations.cs 126 3 37 Directory Traversal 73 Likely
fileoperations.cs 131 3 15 Directory Traversal 73 Likely
fileoperations.cs 136 3 36 Directory Traversal 73 Likely
fileoperations.cs 141 3 38 Directory Traversal 73 Likely
fileoperations.cs 146 3 36 Directory Traversal 73 Likely
fileoperations.cs 151 3 36 Directory Traversal 73 Likely
fileoperations.cs 156 3 37 Directory Traversal 73 Likely
fileoperations.cs 161 3 38 Directory Traversal 73 Likely
aasaferxmldocument.cs 81 3 7 Information Leakage 611 Neutral
aasaferxmldocument.cs 113 3 2 Information Leakage 611 Neutral
aasaferxmldocument.cs 145 3 26 Information Leakage 611 Neutral
aasaferxmldocument.cs 177 3 16 Directory Traversal 73 Likely
aasaferxmldocument.cs 177 3 16 Information Leakage 611 Neutral
aasaferxmldocument.cs 180 3 16 Directory Traversal 73 Likely
aasaferxmldocument.cs 269 3 21 Information Leakage 611 Neutral
directoryoperations.cs 82 3 35 Directory Traversal 73 Likely
directoryoperations.cs 133 3 17 Directory Traversal 73 Likely
directoryoperations.cs 138 3 10 Directory Traversal 73 Likely
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 17 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Location Severity # Instances Flaw Category CWE ID Exploitability
directoryoperations.cs 143 3 8 Directory Traversal 73 Likely
directoryoperations.cs 195 3 5 Directory Traversal 73 Likely
packageoperations.cs 20 3 29 Directory Traversal 73 Likely
packageoperations.cs 25 3 1 Directory Traversal 73 Likely
packageoperations.cs 35 3 1 Directory Traversal 73 Likely
trippledescryptowithhash.cs 131 3 53 Cryptographic Issues 327 Likely
trippledescryptowithhash.cs 136 3 106 Cryptographic Issues 327 Likely
descrypto.cs 26 3 106 Cryptographic Issues 327 Likely
logconfigfilemanager.cs 33 3 1 Directory Traversal 73 Likely
xmlconfiguration.cs 186 3 3 Directory Traversal 73 Likely
Module: Automation.Common.dll Used by 31 executables; score impact: 14
Location Severity # Instances Flaw Category CWE ID Exploitability
userconfiguration.cs 68 3 1 Directory Traversal 73 Likely
userconfiguration.cs 68 3 1 Information Leakage 611 Neutral
userconfiguration.cs 104 3 1 Directory Traversal 73 Likely
userconfiguration.cs 104 3 1 Information Leakage 611 Neutral
userconfiguration.cs 161 3 1 Directory Traversal 73 Likely
userconfiguration.cs 161 3 1 Information Leakage 611 Neutral
userconfiguration.cs 209 3 1 Directory Traversal 73 Likely
userconfiguration.cs 209 3 1 Information Leakage 611 Neutral
userconfiguration.cs 270 3 1 Directory Traversal 73 Likely
userconfiguration.cs 270 3 1 Information Leakage 611 Neutral
userconfiguration.cs 308 3 1 Directory Traversal 73 Likely
userconfiguration.cs 308 3 1 Information Leakage 611 Neutral
userconfiguration.cs 354 3 1 Directory Traversal 73 Likely
userconfiguration.cs 354 3 1 Information Leakage 611 Neutral
userconfiguration.cs 479 3 1 Directory Traversal 73 Likely
userconfiguration.cs 479 3 1 Information Leakage 611 Neutral
userconfiguration.cs 679 3 1 Directory Traversal 73 Likely
userconfiguration.cs 725 3 1 Directory Traversal 73 Likely
userconfiguration.cs 725 3 1 Information Leakage 611 Neutral
autologinconfiguration.cs 58 3 1 Directory Traversal 73 Likely
autologinconfiguration.cs 58 3 1 Information Leakage 611 Neutral
autologinconfiguration.cs 109 3 1 Directory Traversal 73 Likely
autologinconfiguration.cs 109 3 1 Information Leakage 611 Neutral
backupandrestoreoperations.cs 124 3 1 Directory Traversal 73 Likely
backupandrestoreoperations.cs 124 3 1 Information Leakage 611 Neutral
legacyproductconfiguration.cs 290 3 1 Directory Traversal 73 Likely
legacyproductconfiguration.cs 290 3 1 Information Leakage 611 Neutral
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 18 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Location Severity # Instances Flaw Category CWE ID Exploitability
routines.cs 137 3 1 Directory Traversal 73 Likely
routines.cs 137 3 1 Information Leakage 611 Neutral
Module: AA.EditorX.UI.dll Used by 6 executables; score impact: 4
Location Severity # Instances Flaw Category CWE ID Exploitability
webservice.cs 248 3 1 Directory Traversal 73 Likely
webservice.cs 553 3 1 Information Leakage 918 Neutral
webservice.cs 806 3 1 Directory Traversal 73 Likely
frmocr.cs 1086 3 1 Information Leakage 918 Neutral
frmocr.cs 1836 3 1 Information Leakage 918 Neutral
adbrowse.cs 239 3 7 Insufficient Input Validation 90 Neutral
frmsoapwebservicebuilduri.cs 398 3 1 Information Leakage 611 Neutral
ieextractmultipledata.cs 116 3 1 Directory Traversal 73 Likely
soaprequestbody.cs 123 2 1 Code Quality 404 Neutral
Module: Automation.Util.dll Used by 38 executables; score impact: 4
Location Severity # Instances Flaw Category CWE ID Exploitability
commonconfiguration.cs 84 3 1 Directory Traversal 73 Likely
commonconfiguration.cs 84 3 1 Information Leakage 611 Neutral
commonconfiguration.cs 181 3 1 Directory Traversal 73 Likely
xmlserializer.cs 112 3 7 Directory Traversal 73 Likely
xmlserializer.cs 115 3 7 Information Leakage 611 Neutral
cloudfeatureconfiguration.cs 69 3 1 Directory Traversal 73 Likely
commonmethods.cs 300 3 1 Directory Traversal 73 Likely
Module: Automation.Core.dll Used by 35 executables; score impact: 2
Location Severity # Instances Flaw Category CWE ID Exploitability
aaarray.cs 103 3 1 Information Leakage 611 Neutral
aadictionary.cs 136 3 1 Information Leakage 611 Neutral
aalist.cs 177 3 1 Information Leakage 611 Neutral
xmlcommand.cs 111 3 25 Cryptographic Issues 316 Neutral
Module: Automation.Legacy.NativeAPI.dll Used by 56 executables; score impact: 2
Location Severity # Instances Flaw Category CWE ID Exploitability
winapiwrapper.cs 345 4 57 Potential Backdoor 506 Neutral
Module: Automation.Notification.dll Used by 3 executables; score impact: 2
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 19 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Location Severity # Instances Flaw Category CWE ID Exploitability
notificationcontext.cs 20 4 1 Untrusted Initialization 15 Neutral
Module: Automation.Recorder.dll Used by 7 executables; score impact: 2
Location Severity # Instances Flaw Category CWE ID Exploitability
globalhook.cs 123 4 4 Potential Backdoor 506 Neutral
Module: Automation.SSO.dll Used by 4 executables; score impact: 2
Location Severity # Instances Flaw Category CWE ID Exploitability
cookieutil.cs 85 3 3 Information Leakage 611 Neutral
cookieutil.cs 115 3 2 Information Leakage 611 Neutral
urls.cs 46 3 3 Cryptographic Issues 316 Neutral
Module: Automation.SchedulerLibrary.dll Used by 11 executables; score impact: 2
Location Severity # Instances Flaw Category CWE ID Exploitability
routines.cs 371 2 2 Code Quality 404 Neutral
routines.cs 371 3 3 Directory Traversal 73 Likely
readwritetaskschedules.cs 773 3 1 Directory Traversal 73 Likely
Module: Automation.EventWatcher.dll Used by 6 executables; score impact: 2
Location Severity # Instances Flaw Category CWE ID Exploitability
xmllib.cs 216 3 2 Information Leakage 611 Neutral
xmllib.cs 298 3 2 Information Leakage 611 Neutral
Module: Automation.Client.ServerCommunication.dll Used by 4 executables; score impact: 1
Location Severity # Instances Flaw Category CWE ID Exploitability
commonmethods.cs 98 3 1 Directory Traversal 73 Likely
Module: Automation.ClientConfigurationService.dll Used by 33 executables; score impact: 1
Location Severity # Instances Flaw Category CWE ID Exploitability
clientserverpropertiesextension.cs 54 3 1 Directory Traversal 73 Likely
Module: Automation.CR.ClientSdk.dll Used by 17 executables; score impact: 1
Location Severity # Instances Flaw Category CWE ID Exploitability
jsonserializer.cs 31 2 1 Code Quality 404 Neutral
Module: Automation.Commands.Common.dll Used by 9 executables; score impact: 1
Location Severity # Instances Flaw Category CWE ID Exploitability
smartrecorderbase.cs 1753 2 1 Code Quality 404 Neutral
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 20 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 21 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
About Veracode's Methodology
The Veracode platform uses static and dynamic analysis (for web applications) to inspect executables and identify security flaws in your
applications. Using both static and dynamic analysis helps reduce false negatives and detect a broader range of security flaws. The
static binary analysis engine models the binary executable into an intermediate representation, which is then verified for security flaws
using a set of automated security scans. Dynamic analysis uses an automated penetration testing technique to detect security flaws at
runtime. Once the automated process is complete, a security technician verifies the output to ensure the lowest false positive rates in
the industry. The end result is an accurate list of security flaws for the classes of automated scans applied to the application.
Veracode Rating System Using Multiple Analysis Techniques
Higher assurance applications require more comprehensive analysis to accurately score their security quality. Because each analysis
technique (automated static, automated dynamic, manual penetration testing or manual review) has differing false negative (FN) rates
for different types of security flaws, any single analysis technique or even combination of techniques is bound to produce a certain level
of false negatives. Some false negatives are acceptable for lower business critical applications, so a less expensive analysis using only
one or two analysis techniques is acceptable. At higher business criticality the FN rate should be close to zero, so multiple analysis
techniques are recommended.
Application Security Policies
The Veracode platform allows an organization to define and enforce a uniform application security policy across all applications in its
portfolio. The elements of an application security policy include the target Veracode Level for the application; types of flaws that should
not be in the application (which may be defined by flaw severity, flaw category, CWE, or a common standard including OWASP,
CWE/SANS Top 25, or PCI); minimum Veracode security score; required scan types and frequencies; and grace period within which
any policy-relevant flaws should be fixed.
Policy constraints
Policies have three main constraints that can be applied: rules, required scans, and remediation grace periods.
Evaluating applications against a policy
When an application is evaluated against a policy, it can receive one of four assessments:
Not assessed The application has not yet had a scan published
Passed The application has passed all the aspects of the policy, including rules, required scans, and grace period.
Did not pass The application has not completed all required scans; has not achieved the target Veracode Level; or has one or
more policy relevant flaws that have exceeded the grace period to fix.
Conditional pass The application has one or more policy relevant flaws that have not yet exceeded the grace period to fix.
Understand Veracode Levels
The Veracode Level (VL) achieved by an application is determined by type of testing performed on the application, and the severity and
types of flaws detected. A minimum security score (defined below) is also required for each level.
There are five Veracode Levels denoted as VL1, VL2, VL3, VL4, and VL5. VL1 is the lowest level and is achieved by demonstrating
that security testing, automated static or dynamic, is utilized during the SDLC. VL5 is the highest level and is achieved by performing
automated and manual testing and removing all significant flaws. The Veracode Levels VL2, VL3, and VL4 form a continuum of
increasing software assurance between VL1 and VL5.
For IT staff operating applications, Veracode Levels can be used to set application security policies. For deployment scenarios of
different business criticality, differing VLs should be made requirements. For example, the policy for applications that handle credit card
transactions, and therefore have PCI compliance requirements, should be VL5. A medium business criticality internal application could
have a policy requiring VL3.
Software developers can decide which VL they want to achieve based on the requirements of their customers. Developers of software
that is mission critical to most of their customers will want to achieve VL5. Developers of general purpose business software may want
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 22 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
to achieve VL3 or VL4. Once the software has achieved a Veracode Level it can be communicated to customers through a Veracode
Report or through the Veracode Directory on the Veracode web site.
Criteria for achieving Veracode Levels
The following table defines the details to achieve each Veracode Level. The criteria for all columns: Flaw Severities Not
Allowed, Flaw Categories not Allowed, Testing Required, and Minimum Score.
*Dynamic is only an option for web applications.
Veracode Level Flaw Severities Not Allowed Testing Required* Minimum Score
VL5 V.High, High, Medium Static AND Manual 90
VL4 V.High, High, Medium Static 80
VL3 V.High, High Static 70
VL2 V.High Static OR Dynamic OR Manual 60
VL1 Static OR Dynamic OR Manual
When multiple testing techniques are used it is likely that not all testing will be performed on the exact same build. If that is the
case the latest test results from a particular technique will be used to calculate the current Veracode Level. After 6 months test
results will be deemed out of date and will no longer be used to calculate the current Veracode Level.
Business Criticality
The foundation of the Veracode rating system is the concept that more critical applications require higher security quality scores to be
acceptable risks. Less business critical applications can tolerate lower security quality. The business criticality is dictated by the typical
deployed environment and the value of data used by the application. Factors that determine business criticality are: reputation damage,
financial loss, operational risk, sensitive information disclosure, personal safety, and legal violations.
US. Govt. OMB Memorandum M-04-04; NIST FIPS Pub. 199
Business Criticality Description
Very High Mission critical for business/safety of life and limb on the line
High Exploitation causes serious brand damage and financial loss with long term business impact
Medium Applications connected to the internet that process financial or private customer information
Low Typically internal applications with non-critical business impact
Very Low Applications with no material business impact
Business Criticality Definitions
Very High (BC5) This is typically an application where the safety of life or limb is dependent on the system; it is mission critical
the application maintain 100% availability for the long term viability of the project or business. Examples are control software
for industrial, transportation or medical equipment or critical business systems such as financial trading systems.
High (BC4) This is typically an important multi-user business application reachable from the internet and is critical that the
application maintain high availability to accomplish its mission. Exploitation of high criticality applications cause serious brand
damage and business/financial loss and could lead to long term business impact.
Medium (BC3) This is typically a multi-user application connected to the internet or any system that processes financial or
private customer information. Exploitation of medium criticality applications typically result in material business impact resulting
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 23 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
in some financial loss, brand damage or business liability. An example is a financial services company's internal 401K
management system.
Low (BC2) This is typically an internal only application that requires low levels of application security such as authentication to
protect access to non-critical business information and prevent IT disruptions. Exploitation of low criticality applications may
lead to minor levels of inconvenience, distress or IT disruption. An example internal system is a conference room reservation
or business card order system.
Very Low (BC1) Applications that have no material business impact should its confidentiality, data integrity and availability be
affected. Code security analysis is not required for applications at this business criticality, and security spending should be
directed to other higher criticality applications.
Scoring Methodology
The Veracode scoring system, Security Quality Score, is built on the foundation of two industry standards, the Common Weakness
Enumeration (CWE) and Common Vulnerability Scoring System (CVSS). CWE provides the dictionary of security flaws and CVSS
provides the foundation for computing severity, based on the potential Confidentiality, Integrity and Availability impact of a flaw if
exploited.
The Security Quality Score is a single score from 0 to 100, where 0 is the most insecure application and 100 is an application with no
detectable security flaws. The score calculation includes non-linear factors so that, for instance, a single Severity 5 flaw is weighted
more heavily than five Severity 1 flaws, and so that each additional flaw at a given severity contributes progressively less to the score.
Veracode assigns a severity level to each flaw type based on three foundational application security requirements — Confidentiality,
Integrity and Availability. Each of the severity levels reflects the potential business impact if a security breach occurs across one or
more of these security dimensions.
Confidentiality Impact
According to CVSS, this metric measures the impact on confidentiality if a exploit should occur using the vulnerability on the
target system. At the weakness level, the scope of the Confidentiality in this model is within an application and is measured at
three levels of impact -None, Partial and Complete.
Integrity Impact
This metric measures the potential impact on integrity of the application being analyzed. Integrity refers to the trustworthiness
and guaranteed veracity of information within the application. Integrity measures are meant to protect data from unauthorized
modification. When the integrity of a system is sound, it is fully proof from unauthorized modification of its contents.
Availability Impact
This metric measures the potential impact on availability if a successful exploit of the vulnerability is carried out on a target
application. Availability refers to the accessibility of information resources. Almost exclusive to this domain are denial-of-
service vulnerabilities. Attacks that compromise authentication and authorization for application access, application memory,
and administrative privileges are examples of impact on the availability of an application.
Security Quality Score Calculation
The overall Security Quality Score is computed by aggregating impact levels of all weaknesses within an application and representing
the score on a 100 point scale. This score does not predict vulnerability potential as much as it enumerates the security weaknesses
and their impact levels within the application code.
The Raw Score formula puts weights on each flaw based on its impact level. These weights are exponential and determined by
empirical analysis by Veracode's application security experts with validation from industry experts. The score is normalized to a scale of
0 to 100, where a score of 100 is an application with 0 detected flaws using the analysis technique for the application's business
criticality.
Understand Severity, Exploitability, and Remediation Effort
Severity and exploitability are two different measures of the seriousness of a flaw. Severity is defined in terms of the potential impact to
confidentiality, integrity, and availability of the application as defined in the CVSS, and exploitability is defined in terms of the likelihood
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 24 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
or ease with which a flaw can be exploited. A high severity flaw with a high likelihood of being exploited by an attacker is potentially
more dangerous than a high severity flaw with a low likelihood of being exploited.
Remediation effort, also called Complexity of Fix, is a measure of the likely effort required to fix a flaw. Together with severity, the
remediation effort is used to give Fix First guidance to the developer.
Veracode Flaw Severities
Veracode flaw severities are defined as follows:
Severity Description
The offending line or lines of code is a very serious weakness and is an easy target for an
Very High
attacker. The code should be modified immediately to avoid potential attacks.
The offending line or lines of code have significant weakness, and the code should be
High
modified immediately to avoid potential attacks.
A weakness of average severity. These should be fixed in high assurance software. A fix for
Medium this weakness should be considered after fixing the very high and high for medium
assurance software.
This is a low priority weakness that will have a small impact on the security of the software.
Low Fixing should be consideration for high assurance software. Medium and low assurance
software can ignore these flaws.
Minor problems that some high assurance software may want to be aware of. These flaws
Very Low
can be safely ignored in medium and low assurance software.
Issues that have no impact on the security quality of the application but which may be of
Informational
interest to the reviewer.
Informational findings
Informational severity findings are items observed in the analysis of the application that have no impact on the security quality
of the application but may be interesting to the reviewer for other reasons. These findings may include code quality issues, API
usage, and other factors.
Informational severity findings have no impact on the security quality score of the application and are not included in the
summary tables of flaws for the application.
Exploitability
Each flaw instance in a static scan may receive an exploitability rating. The rating is an indication of the intrinsic likelihood that the flaw
may be exploited by an attacker. Veracode recommends that the exploitability rating be used to prioritize flaw remediation within a
particular group of flaws with the same severity and difficulty of fix classification.
The possible exploitability ratings include:
Exploitability Description
V. Unlikely Very unlikely to be exploited
Unlikely Unlikely to be exploited
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 25 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Exploitability Description
Neutral Neither likely nor unlikely to be exploited.
Likely Likely to be exploited
V. Likely Very likely to be exploited
Note: All reported flaws found via dynamic scans are assumed to be exploitable, because the dynamic scan actually executes
the attack in question and verifies that it is valid.
Effort/Complexity of Fix
Each flaw instance receives an effort/complexity of fix rating based on the classification of the flaw. The effort/complexity of fix
rating is given on a scale of 1 to 5, as follows:
Effort/Complexity of Fix Description
5 Complex design error. Requires significant redesign.
4 Simple design error. Requires redesign and up to 5 days to fix.
3 Complex implementation error. Fix is approx. 51-500 lines of code. Up to 5 days to fix.
2 Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
1 Trivial implementation error. Fix is up to 5 lines of code. One hour or less to fix.
Flaw Types by Severity Level
The flaw types by severity level table provides a summary of flaws found in the application by Severity and Category. The table puts the
Security Quality Score into context by showing the specific breakout of flaws by severity, used to compute the score as described
above. If multiple analysis techniques are used, the table includes a breakout of all flaws by category and severity for each analysis
type performed.
Flaws by Severity
The flaws by severity chart shows the distribution of flaws by severity. An application can get a mediocre security rating by having a few
high risk flaws or many medium risk flaws.
Flaws in Common Modules
The flaws in common modules listing shows a summary of flaws in shared dependency modules in this application. A shared
dependency is a dependency that is used by more than one analyzed module. Each module is listed with the number of executables
that consume it as a dependency and a summary of the impact on the application's security score of the flaws found in the dependency.
The score impact represents the amount that the application score would increase if all the flaws in the shared dependency module
were fixed. This information can be used to focus remediation efforts on common modules with a higher impact on the application
security score.
Only common modules that were uploaded with debug information are included in the Flaws in Common Modules listing.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 26 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Action Items
The Action Items section of the report provides guidance on the steps required to bring the application to a state where it passes its
assigned policy. These steps may include fixing or mitigating flaws or performing additional scans. The section also includes best
practice recommendations to improve the security quality of the application.
Common Weakness Enumeration (CWE)
The Common Weakness Enumeration (CWE) is an industry standard classification of types of software weaknesses, or flaws, that can
lead to security problems. CWE is widely used to provide a standard taxonomy of software errors. Every flaw in a Veracode report is
classified according to a standard CWE identifier.
More guidance and background about the CWE is available at http://cwe.mitre.org/data/index.html.
About Manual Assessments
The Veracode platform can include the results from a manual assessment (usually a penetration test or code review) as part of a report.
These results differ from the results of automated scans in several important ways, including objectives, attack vectors, and common
attack patterns.
A manual penetration assessment is conducted to observe the application code in a run-time environment and to simulate real-world
attack scenarios. Manual testing is able to identify design flaws, evaluate environmental conditions, compound multiple lower risk flaws
into higher risk vulnerabilities, and determine if identified flaws affect the confidentiality, integrity, or availability of the application.
Objectives
The stated objectives of a manual penetration assessment are:
• Perform testing, using proprietary and/or public tools, to determine whether it is possible for an attacker to:
• Circumvent authentication and authorization mechanisms
• Escalate application user privileges
• Hijack accounts belonging to other users
• Violate access controls placed by the site administrator
• Alter data or data presentation
• Corrupt application and data integrity, functionality and performance
• Circumvent application business logic
• Circumvent application session management
• Break or analyze use of cryptography within user accessible components
• Determine possible extent access or impact to the system by attempting to exploit vulnerabilities
• Score vulnerabilities using the Common Vulnerability Scoring System (CVSS)
• Provide tactical recommendations to address security issues of immediate consequence
Provide strategic recommendations to enhance security by leveraging industry best practices
Attack vectors
In order to achieve the stated objectives, the following tests are performed as part of the manual penetration assessment,
when applicable to the platforms and technologies in use:
• Cross Site Scripting (XSS)
• SQL Injection
• Command Injection
• Cross Site Request Forgery (CSRF)
• Authentication/Authorization Bypass
• Session Management testing, e.g. token analysis, session expiration, and logout effectiveness
• Account Management testing, e.g. password strength, password reset, account lockout, etc.
• Directory Traversal
• Response Splitting
• Stack/Heap Overflows
• Format String Attacks
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 27 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
• Cookie Analysis
• Server Side Includes Injection
• Remote File Inclusion
• LDAP Injection
• XPATH Injection
• Internationalization attacks
• Denial of Service testing at the application layer only
• AJAX Endpoint Analysis
• Web Services Endpoint Analysis
• HTTP Method Analysis
• SSL Certificate and Cipher Strength Analysis
• Forced Browsing
CAPEC Attack Pattern Classification
The following attack pattern classifications are used to group similar application flaws discovered during manual penetration
testing. Attack patterns describe the general methods employed to access and exploit the specific weaknesses that exist
within an application. CAPEC (Common Attack Pattern Enumeration and Classification) is an effort led by Cigital, Inc. and is
sponsored by the United States Department of Homeland Security's National Cyber Security Division.
Abuse of Functionality
Exploitation of business logic errors or misappropriation of programmatic resources. Application functions are developed to
specifications with particular intentions, and these types of attacks serve to undermine those intentions.
Examples:
• Exploiting password recovery mechanisms
• Accessing unpublished or test APIs
• Cache poisoning
Spoofing
Impersonation of entities or trusted resources. A successful attack will present itself to a verifying entity with an acceptable
level of authenticity.
Examples:
• Man in the middle attacks
• Checksum spoofing
• Phishing attacks
Probabilistic Techniques
Using predictive capabilities or exhaustive search techniques in order to derive or manipulate sensitive information. Attacks
capitalize on the availability of computing resources or the lack of entropy within targeted components.
Examples:
• Password brute forcing
• Cryptanalysis
• Manipulation of authentication tokens
Exploitation of Authentication
Circumventing authentication requirements to access protected resources. Design or implementation flaws may allow
authentication checks to be ignored, delegated, or bypassed.
Examples:
• Cross-site request forgery
• Reuse of session identifiers
• Flawed authentication protocol
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 28 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Resource Depletion
Affecting the availability of application components or resources through symmetric or asymmetric consumption. Unrestricted
access to computationally expensive functions or implementation flaws that affect the stability of the application can be
targeted by an attacker in order to cause denial of service conditions.
Examples:
• Flooding attacks
• Unlimited file upload size
• Memory leaks
Exploitation of Privilege/Trust
Undermining the application's trust model in order to gain access to protected resources or gain additional levels of access as
defined by the application. Applications that implicitly extend trust to resources or entities outside of their direct control are
susceptible to attack.
Examples:
• Insufficient access control lists
• Circumvention of client side protections
• Manipulation of role identification information
Injection
Inserting unexpected inputs to manipulate control flow or alter normal business processing. Applications must contain
sufficient data validation checks in order to sanitize tainted data and prevent malicious, external control over internal
processing.
Examples:
• SQL Injection
• Cross-site scripting
• XML Injection
Data Structure Attacks
Supplying unexpected or excessive data that results in more data being written to a buffer than it is capable of holding.
Successful attacks of this class can result in arbitrary command execution or denial of service conditions.
Examples:
• Buffer overflow
• Integer overflow
• Format string overflow
Data Leakage Attacks
Recovering information exposed by the application that may itself be confidential or may be useful to an attacker in discovering
or exploiting other weaknesses. A successful attack may be conducted passive observation or active interception methods.
This attack pattern often manifests itself in the form of applications that expose sensitive information within error messages.
Examples:
• Sniffing clear-text communication protocols
• Stack traces returned to end users
• Sensitive information in HTML comments
Resource Manipulation
Manipulating application dependencies or accessed resources in order to undermine security controls and gain unauthorized
access to protected resources. Applications may use tainted data when constructing paths to local resources or when
constructing processing environments.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 29 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Examples:
• Carriage Return Line Feed log file injection
• File retrieval via path manipulation
• User specification of configuration files
Time and State Attacks
Undermining state condition assumptions made by the application or capitalizing on time delays between security checks and
performed operations. An application that does not enforce a required processing sequence or does not handle concurrency
adequately will be susceptible to these attack patterns.
Examples:
• Bypassing intermediate form processing steps
• Time-of-check and time-of-use race conditions
• Deadlock triggering to cause a denial of service
Terms of Use
Use and distribution of this report are governed by the agreement between Veracode and its customer. In particular, this report and the
results in the report cannot be used publicly in connection with Veracode’s name without written permission.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 30 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Appendix A: Changes from Last Scan
Latest Scan Prior Scan
Static Scan
Scan Name: 8_2019-12-04-20:46:37-client Scan Name: 6_2019-12-02-23:24:40-client
Completed: 12/4/19 Completed: 12/2/19
Score: 98 Score: 98
Flaws not detected in current scan
The following is a list of all flaws found in the prior scan of this application that were not detected in the current scan.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 31 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Appendix B: Approved Mitigated Flaws (by Automation Anywhere)
NOTE: Except in circumstances where the Customer has purchased Veracode’s Mitigation Proposal Review Solution, Veracode does
not review the mitigation strategy described below and is not responsible for its contents or the accuracy of any statements provided.
Very High (2 flaws) Fix Required by Policy: Flaw no longer impacts results..
Flaw continues to impact results.
OS Command Injection(2 flaws)
Associated Flaws by CWE ID:
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
(CWE ID 78)(2 flaws)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
10131 Likely 46 - aaplugininstallation.e dev/.../processinvoker.cs 150
xe#11.1.0.0/automati
on.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : No user input is used.
Remaining Risk : None
Verification : Code review and testing.
Approve Mitigation (Automation Anywhere): Reviewed and approved
14926 Likely 46 - aaplugininstallation.e dev/.../processinvoker.cs 155
xe#11.1.0.0/automati
on.generic.dll
Mitigate by Design (Automation Anywhere): Promoted from Sandbox -
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : No user supplied data is used in the API calls.
Remaining Risk : None.
Verification : Code review and testing.
Approve Mitigation (Automation Anywhere): Promoted from Sandbox - Reviewed and approved.
High (4 flaws) Fix Required by Policy: Flaw no longer impacts results..
Flaw continues to impact results.
Untrusted Initialization(1 flaw)
Associated Flaws by CWE ID:
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 32 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
External Control of System or Configuration Setting (CWE ID 15)(1 flaw)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
7515 Neutral 40 - aaplayer.exe#12.3.0. dev/.../notificationcontext.cs 20
0/automation.notificat
ion.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : String used for dbpath parameter is not accessible to user input or action.
Remaining Risk : Minimal. Any actor with the ability to modify this information has already successfully
compromised the system.
Verification : Code review, fuzz testing, and penetration testing to attempt to access this parameter.
Approve Mitigation (Automation Anywhere): Reviewed and approved. Followup required in the next
release to confirm.
Potential Backdoor(3 flaws)
Associated Flaws by CWE ID:
Embedded Malicious Code (CWE ID 506)(3 flaws)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
8789 Neutral 30 - automation.recorder. dev/.../globalhook.cs 123
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : White list of valid callers (using the fully qualified path and file name in each entry) will be
used. Calls to the API specifying other DLLs or EXE files will be rejected. Since we're passing the name
of the entity to get access to the hooks (instead of their handle), we perform the getmodulehandle call on
the caller's file ONLY AFTER validating it against the white list.
Remaining Risk : Minimal. Since only selected files can be specified and succeed, the only way to subvert
this is to replace the (paths and names are undisclosed) whitelisted files with malware. If the attacker can
do that, the system is already fully compromised.
Verification : Make the API calls for setting windows hooks from other sources. Use:
valid path+invalid filename,
invalid path+valid filename,
blank or null path+filename and
valid path+blank or null fliename.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 33 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Validate paths for length (must be greater than 5 character and less that 255 characters).
Validate filenames for length and extension (must be at least 5 characters long, and cannot be longer
than 255 characters).
Use invalid characters in paths and file names to assure that behavior is uniform.
Confirm that all valid callers gain access to windows hooks.
Approve Mitigation (Automation Anywhere): Reviewed and accepted.
4608 Neutral 31 - automation dev/.../commonfiles/globalhook.cs 161
anywhere.exe#12.1.0
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : White list of valid callers (using the fully qualified path and file name in each entry) will be
used. Calls to the API specifying other DLLs or EXE files will be rejected. Since we're passing the name
of the entity to get access to the hooks (instead of their handle), we perform the getmodulehandle call on
the caller's file ONLY AFTER validating it against the white list.
Remaining Risk : Minimal. Since only selected files can be specified and succeed, the only way to subvert
this is to replace the (paths and names are undisclosed) whitelisted files with malware. If the attacker can
do that, the system is already fully compromised.
Verification : Make the API calls for setting windows hooks from other sources. Use:
valid path+invalid filename,
invalid path+valid filename,
blank or null path+filename and
valid path+blank or null fliename.
Validate paths for length (must be greater than 5 character and less that 255 characters).
Validate filenames for length and extension (must be at least 5 characters long, and cannot be longer
than 255 characters).
Use invalid characters in paths and file names to assure that behavior is uniform.
Confirm that all valid callers gain access to windows hooks.
Approve Mitigation (Automation Anywhere): Mitigation accepted, per review.
Approve Mitigation (Automation Anywhere): Mitigation accepted, per review.
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 34 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Specifics : White list of valid callers (using the fully qualified path and file name in each entry) will be
used. Calls to the API specifying other DLLs or EXE files will be rejected. Since we're passing the name
of the entity to get access to the hooks (instead of their handle), we perform the getmodulehandle call on
the caller's file ONLY AFTER validating it against the white list.
Remaining Risk : Minimal. Since only selected files can be specified and succeed, the only way to subvert
this is to replace the (paths and names are undisclosed) whitelisted files with malware. If the attacker can
do that, the system is already fully compromised.
Verification : Make the API calls for setting windows hooks from other sources. Use:
valid path+invalid filename,
invalid path+valid filename,
blank or null path+filename and
valid path+blank or null filename.
Validate paths for length (must be greater than 5 character and less that 255 characters).
Validate filenames for length and extension (must be at least 5 characters long, and cannot be longer
than 255 characters).
Use invalid characters in paths and file names to assure that behavior is uniform.
Confirm that all valid callers gain access to windows hooks.
8979 Neutral 65 - automation.legacy.na dev/.../winapiwrapper.cs 345
tiveapi.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : White list of valid callers (using the fully qualified path and file name in each entry) will be
used. Calls to the API specifying other DLLs or EXE files will be rejected. Since we're passing the name
of the entity to get access to the hooks (instead of their handle), we perform the getmodulehandle call on
the caller's file ONLY AFTER validating it against the white list.
Remaining Risk : Minimal. Since only selected files can be specified and succeed, the only way to subvert
this is to replace the (paths and names are undisclosed) whitelisted files with malware. If the attacker can
do that, the system is already fully compromised.
Verification : Make the API calls for setting windows hooks from other sources. Use:
valid path+invalid filename,
invalid path+valid filename,
blank or null path+filename and
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 35 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
valid path+blank or null fliename.
Validate paths for length (must be greater than 5 character and less that 255 characters).
Validate filenames for length and extension (must be at least 5 characters long, and cannot be longer
than 255 characters).
Use invalid characters in paths and file names to assure that behavior is uniform.
Confirm that all valid callers gain access to windows hooks.
Approve Mitigation (Automation Anywhere): Reviewed and approved. Mark for follow up review in the
next release cycle.
Medium (158 flaws) Fix Required by Policy: Flaw no longer impacts results..
Flaw continues to impact results.
Directory Traversal(84 flaws)
Associated Flaws by CWE ID:
External Control of File Name or Path (CWE ID 73)(84 flaws)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
14532 Likely 4 - automation.common. dev/.../xml/aasaferxmldocument.cs 177
dll/automation.generi
c.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
8976 Likely 4 - automation.common. dev/.../xml/aasaferxmldocument.cs 180
dll/automation.generi
c.dll
Mitigate by Design (Automation Anywhere):
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 36 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Uses the Automation.Generic.Security.IO.IAAPathProvider interface to tightly validate path/file
input.
Remaining Risk : N/A
Verification : Verified
Approve Mitigation (Automation Anywhere): Approved
Reject Mitigation (Automation Anywhere): Updating mitigation. Input validation is still being
performed, but the biggest factor in mitigation is the fact that the input is trusted to begin with (see below).
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
4222 Likely 10 - automation.common. .../autologinconfiguration.cs 58
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
2578 Likely 10 - automation.common. .../autologinconfiguration.cs 109
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
17055 Likely 11 - automation.common. .../backupandrestoreoperations.cs 124
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 37 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
9883 Likely 14 - automation.clientconf .../clientserverpropertiesextension.cs 54
igurationservice.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
Approve Mitigation (Automation Anywhere): Approved
2552 Likely 15 - automation.chatview .../cloudfeatureconfiguration.cs 69
er.exe#11.0.2.0/auto
mation.util.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
2547 Likely 16 - automation dev/.../commonconfiguration.cs 84
helpviewer.exe#11.0.
2.0/automation.util.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 38 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
2561 Likely 16 - automation dev/.../commonconfiguration.cs 181
helpviewer.exe#11.0.
2.0/automation.util.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
10041 Likely 19 - automation.client.ser dev/.../common/commonmethods.cs 98
vercommunication.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
2565 Likely 18 - automation dev/.../commonmethods.cs 300
anywhere.exe#12.1.0
.0/automation.util.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
713 Likely 17 - aaplayer.exe#12.3.0. dev/.../commonmethods.cs 1292
0
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 39 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
14647 Likely 22 - automation.generic.dl dev/.../directoryoperations.cs 82
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
14928 Likely 22 - automation.sso.dll/au dev/.../directoryoperations.cs 133
tomation.generic.dll
Mitigate by Design (Automation Anywhere): Promoted from Sandbox -
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Uses the Automation.Generic.Security.IO.IAAPathProvider interface to tightly validate path/file
input.
Remaining Risk : N/A
Verification : Verified
Approve Mitigation (Automation Anywhere): Promoted from Sandbox - Approved
Reject Mitigation (Automation Anywhere): Promoted from Sandbox - Updating mitigation. Input
validation is still being performed, but the biggest factor in mitigation is the fact that the input is trusted to
begin with (see below).
Mitigate by Design (Automation Anywhere): Promoted from Sandbox -
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 40 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Promoted from Sandbox - Approved
15956 Likely 22 - aaplugininstallation.e dev/.../directoryoperations.cs 138
xe#11.1.0.0/automati
on.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
15957 Likely 22 - aaplugininstallation.e dev/.../directoryoperations.cs 143
xe#11.1.0.0/automati
on.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
13932 Likely 22 - aaautologinservice.e dev/.../directoryoperations.cs 195
xe#13.0.0.0/automati
on.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 41 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
13806 Likely 24 - automation.sso.dll/au dev/.../impl/fileoperations.cs 28
tomation.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
13804 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 33
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
13803 Likely 24 - automation.sso.dll/au dev/.../impl/fileoperations.cs 38
tomation.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 42 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
9891 Likely 24 - aaplugininstallation.e dev/.../impl/fileoperations.cs 43
xe#11.1.0.0/automati
on.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
13841 Likely 24 - aaplugininstallation.e dev/.../impl/fileoperations.cs 48
xe#11.1.0.0/automati
on.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
13840 Likely 24 - automation.scheduler dev/.../impl/fileoperations.cs 54
library.dll/automation.
generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 43 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
9890 Likely 24 - aaplugininstallation.e dev/.../impl/fileoperations.cs 73
xe#11.1.0.0/automati
on.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
9457 Likely 24 - aaplugininstallation.e dev/.../impl/fileoperations.cs 78
xe#11.1.0.0/automati
on.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Uses the Automation.Generic.Security.IO.IAAPathProvider interface to tightly validate path/file
input.
Remaining Risk : N/A
Verification : Verified
Approve Mitigation (Automation Anywhere): Approved
Reject Mitigation (Automation Anywhere): Updating mitigation. Input validation is still being
performed, but the biggest factor in mitigation is the fact that the input is trusted to begin with (see below).
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 44 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
13802 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 83
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
13805 Likely 24 - automation.sso.dll/au dev/.../impl/fileoperations.cs 88
tomation.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
13809 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 94
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 45 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Approve Mitigation (Automation Anywhere): Approved
13842 Likely 24 - reportmanager.exe#1 dev/.../impl/fileoperations.cs 100
1.0.2.0/automation.g
eneric.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
14645 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 106
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
13808 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 111
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 46 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
28409 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 116
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Veracode is unable to detect Get() method as it is implemented using interface for decoupling
reason and due to this the implementation is segregated . the file path is constructed by AAPathProvider
class and hence can’t be tempered.
Remaining Risk : NA
Verification : Code has been verified during a triage session with development lead thru the tracing the
data flow provided by Veracode.
Approve Mitigation (Automation Anywhere): Approved. Veracode is unable to detect Get() method
as it is implemented using interface for decoupling reason and due to this the implementation is
segregated . the file path is constructed by AAPathProvider class and hence can’t be tempered. All the
implementation of Get() method is done using IAAPath interface.
10209 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 121
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Uses the Automation.Generic.Security.IO.IAAPathProvider interface to tightly validate path/file
input.
Remaining Risk : N/A
Verification : Verified
Approve Mitigation (Automation Anywhere): Approved
Reject Mitigation (Automation Anywhere): Updating mitigation. Input validation is still being
performed, but the biggest factor in mitigation is the fact that the input is trusted to begin with (see below).
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
32066 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 126
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 47 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Specifics : input is coming from trusted source
Remaining Risk : none
Verification : if path is not through internal source it will not be accepted by application
Approve Mitigation (Automation Anywhere): Approved.
14682 Likely 24 - aaplugininstallation.e dev/.../impl/fileoperations.cs 131
xe#11.1.0.0/automati
on.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All user input to this functionality is trusted. Using the input to control the file name is the
intended design. The user cannot select any file which is not already inside of their trust boundary
(Windows session).
Remaining Risk : Little to none.
Verification : Approved
Approve Mitigation (Automation Anywhere): Approved
10207 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 136
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Uses the Automation.Generic.Security.IO.IAAPathProvider interface to tightly validate path/file
input.
Remaining Risk : N/A
Verification : Verified
Approve Mitigation (Automation Anywhere): Approved
Reject Mitigation (Automation Anywhere): Updating mitigation. Input validation is still being
performed, but the biggest factor in mitigation is the fact that the input is trusted to begin with (see below).
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
10208 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 141
l
Mitigate by Design (Automation Anywhere):
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 48 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Uses the Automation.Generic.Security.IO.IAAPathProvider interface to tightly validate path/file
input.
Remaining Risk : N/A
Verification : Verified
Approve Mitigation (Automation Anywhere): Approved
Reject Mitigation (Automation Anywhere): Updating mitigation. Input validation is still being
performed, but the biggest factor in mitigation is the fact that the input is trusted to begin with (see below).
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
14646 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 146
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
14643 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 151
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 49 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
14642 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 156
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
14644 Likely 24 - automation.generic.dl dev/.../impl/fileoperations.cs 161
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
895 Likely 26 - automation dev/.../frmdownloadhelpfile.cs 47
anywhere.exe#12.1.0
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 50 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
4575 Likely 28 - reportmanager.exe#1 dev/.../report/frmreports.cs 2408
1.0.2.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
4212 Likely 33 - aa.editorx.ui.dll .../ieextractmultipledata.cs 116
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : making sure that path is validated before processing the file
Remaining Risk : validation can be bypassed provided AES256 encryption is broken and obfuscated
assemblies de-compiled
Verification : this is internal AAE assemblies which are signed and can only be used by signed AAE
assemblies
automation.editor\AA.EditorX.UI\WebAutomation\CommonFiles\IEExtractMultipleData.cs
public string GetImageActionCase(IHTMLImgElement imageElement, bool isPlayTime)
{
if (isPlayTime && !string.IsNullOrEmpty(MhtmCnt.ImagePath))
{
string fileName = System.IO.Path.GetFileName(imageElement.src + "");
try
{
IAAPathProvider aaPathProvider = new AAPathProvider();
System.Net.WebClient client = new System.Net.WebClient();
string imageFileName = MhtmCnt.ImagePath + (!MhtmCnt.ImagePath.EndsWith("\\") ? "\\" :
"") + fileName;
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 51 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
client.DownloadFile(imageElement.src,
aaPathProvider.GetFilePathProvider(imageFileName).Get());
return "Successfully downloaded";
}
catch (Exception ex)
{
//Jecky [July 2011]
Automation.Common.Log.Write(Automation.Common.Log.Modules.Editor,
Automation.Common.Log.LogTypes.FATAL, "GetImageActionCase", string.Empty, ex);
return "Successfully not downloaded";
}
}
else
{
return "";
}
}
Approve Mitigation (Automation Anywhere): Approved. As AAE Assemblies are signed by AES 256
encryption and there is no any known practical method to crack it in present days.
33651 Likely 35 - automation.client.dep dev/.../jobfileoperation.cs 44
loymentservice.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
33650 Likely 35 - automation.client.dep dev/.../jobfileoperation.cs 81
loymentservice.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
17001 Likely 37 - automation.common. .../legacyproductconfiguration.cs 290
dll
Mitigate by Design (Automation Anywhere):
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 52 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
13969 Likely 38 - automation.common. .../logconfigfilemanager.cs 33
dll/automation.generi
c.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All user input to this functionality is trusted. Using the input to control the file name is the
intended design.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
19480 Likely 41 - automation dev/.../onlinehelp.cs 210
helpviewer.exe#11.0.
2.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Potential False Positive (Automation Anywhere): Approved
Approve Mitigation (Automation Anywhere): Approved
14066 Likely 42 - automation.generic.dl dev/.../impl/packageoperations.cs 20
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 53 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
14064 Likely 42 - automation.client.ser dev/.../impl/packageoperations.cs 25
vercommunication.dll
/automation.generic.
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
14065 Likely 42 - automation.metabot. dev/.../impl/packageoperations.cs 35
engine.dll/automation
.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
10112 Likely 47 - automation.fipsdata. .../reader/productconfiguration.cs 70
migration.exe#11.0.2
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 54 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
10111 Likely 47 - automation.fipsdata. .../reader/productconfiguration.cs 121
migration.exe#11.0.2
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
10119 Likely 47 - automation.fipsdata. .../reader/productconfiguration.cs 159
migration.exe#11.0.2
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
3053 Likely 48 - automation dev/.../scriptfile/property.cs 206
anywhere.exe#12.1.0
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 55 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
3113 Likely 48 - automation dev/.../scriptfile/property.cs 345
anywhere.exe#12.1.0
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
3086 Likely 48 - automation dev/.../scriptfile/property.cs 407
anywhere.exe#12.1.0
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
1894 Likely 49 - aaproxyserver.exe#1 dev/.../proxyserver.cs 954
1.0.2.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 56 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
3654 Likely 50 - automation.scheduler .../readwritetaskschedules.cs 773
library.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
42088 Likely 51 - aaplayer.exe#12.3.0. dev/.../repositoryoperation.cs 147
0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
42087 Likely 51 - aaplayer.exe#12.3.0. dev/.../repositoryoperation.cs 148
0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
10033 Likely 53 - automation.common. dev/.../common/routines.cs 137
dll
Mitigate by Design (Automation Anywhere):
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 57 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Veracode is unable to detect Get() method as it is implemented using interface for decoupling
reason and due to this the implementation is segregated , the file path is constructed by AAPathProvider
class and hence can’t be tempered.
Remaining Risk : NA
Verification : Code has been verified during a triage session with development lead thru the tracing the
data flow provided by Veracode.
Approve Mitigation (Automation Anywhere): Approved. Veracode is unable to detect Get() method
as it is implemented using interface for decoupling reason and due to this the implementation is
segregated , the file path is constructed by AAPathProvider class and hence can’t be tempered.
All the implementation of Get() method is done using IAAPath interface.
1607 Likely 52 - automationeventwatc dev/.../schedulerlogic/routines.cs 371
her.exe#12.0.0.0/aut
omation.eventwatche
r.dll/automation.sche
dulerlibrary.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
42510 Likely - 2 aasilverlightinjector.e System.Collections.Generic.IEnumerable
xe#10.2.1.0 <string> GetArgumentsFromFile(string)
92%
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted Admin.
Remaining Risk : NONE
Verification : This is an one time activity and performed by a trusted admin.
Approve Mitigation (Automation Anywhere): Approved
10293 Likely 57 - reportmanager.exe#1 dev/.../systemlogmigration.cs 82
1.0.2.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 58 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
33649 Likely 58 - automation.client.dep dev/.../tasklogwatcher.cs 375
loymentservice.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : None trusted path will not accepted by application
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
13861 Likely 59 - automation.fipsdata. .../triggermigrationservices.cs 49
migration.exe#11.0.2
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
4225 Likely 62 - automation.common. dev/.../userconfiguration.cs 68
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : None
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Ap=proved
2568 Likely 62 - automation.common. dev/.../userconfiguration.cs 104
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 59 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Specifics : All The value of the path coming from trusted location.
Remaining Risk : None
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
1597 Likely 62 - automation.common. dev/.../userconfiguration.cs 161
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
2584 Likely 62 - automation.common. dev/.../userconfiguration.cs 209
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
2574 Likely 62 - automation.common. dev/.../userconfiguration.cs 270
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
2569 Likely 62 - automation.common. dev/.../userconfiguration.cs 308
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
2573 Likely 62 - automation.common. dev/.../userconfiguration.cs 354
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 60 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
1631 Likely 62 - automation.common. dev/.../userconfiguration.cs 479
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
2542 Likely 62 - automation.common. dev/.../userconfiguration.cs 679
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
2555 Likely 62 - automation.common. dev/.../userconfiguration.cs 725
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All The value of the path coming from trusted location.
Remaining Risk : NONE
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Approved
Approve Mitigation (Automation Anywhere): Approved
27331 Likely 63 - aa.editorx.ui.dll dev/.../web services/webservice.cs 248
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : making sure that path is validated before processing the file
Remaining Risk : validation can be bypassed provided AES256 encryption is broken and obfuscated
assemblies de-compiled
Verification : this is internal AAE assemblies which are signed and can only be used by signed AAE
assemblies
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 61 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
\automation.editor\AA.EditorX.UI\Web Services\WebService.cs
private dynamic getServiceResponseStream(string serviceUri)
{
if (IsHttpURLValid(serviceUri))
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(serviceUri);
if (!string.IsNullOrEmpty(getUserAgentValue()))
request.UserAgent = getUserAgentValue();
return new StreamReader(request.GetResponse().GetResponseStream());
}
XmlTextReader reader = new
XmlTextReader(_aaPathProvider.GetFilePathProvider(serviceUri).Get());
reader.XmlResolver = null;
reader.DtdProcessing = DtdProcessing.Prohibit;
_logger.LogDebug($"{CLASS_NAME}:{nameof(ReadWsdl)}", () => "Reading wsdl file");
return reader;
}
Approve Mitigation (Automation Anywhere): Approved. As AAE Assemblies are signed by AES 256
encryption and there is no any known practical method to crack it in present days.
30854 Likely 63 - aa.editorx.ui.dll dev/.../web services/webservice.cs 806
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : making sure that path is validated before processing the file
Remaining Risk : validation can be bypassed provided AES256 encryption is broken and obfuscated
assemblies de-compiled
Verification : this is internal AAE assemblies which are signed and can only be used by signed AAE
assemblies
\automation.editor\AA.EditorX.UI\Web Services\Webservice.cs
private void addClientCertificateToWebRequest(HttpWebRequest webRequest)
{
webRequest.ClientCertificates.Add(System.Security.Cryptography.X509Certificates.X509Certificate.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 62 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
CreateFromCertFile(_aaPathProvider.GetFilePathProvider(Certificate).Get()));
}
Approve Mitigation (Automation Anywhere): Approved. As AAE Assemblies are signed by AES 256
encryption and there is no any known practical method to crack it in present days.
35372 Likely 64 - aaplayer.exe#12.3.0. dev/.../webservice/webservice.cs 999
0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : The input validation has been done by internal Automation Anywhere Logic. Input has been
validated.
Remaining Risk : NA
Verification : We are using Dot Net Framework 4.6 to mitigate this vulnerability.
Approve Mitigation (Automation Anywhere): Approved
10108 Likely 67 - automation.scheduler dev/.../xmlconfiguration.cs 186
library.dll/automation.
generic.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
6881 Likely 68 - automation.fipsdata. dev/.../reader/xmlfilemanager.cs 32
migration.exe#11.0.2
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 63 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
10037 Likely 70 - automation.metabot. dev/.../xmlserializer.cs 112
engine.dll/automation
.util.dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input to this call is considered trusted. CWE 73 is related to **external** control of the
filename or path. However this flaw deals with **internal** control because it involves a thick client app
that is running locally and all input is coming from the local user logged into a Windows session. Hence,
this is by design, as we want to give the ability to determine filenames and paths.
Remaining Risk : Little to none. The user will not be able to select a filename or path which is not already
accessible to them through the standard local Windows session. OS file system permissions restrict this
access.
Verification : Design review, Veracode consultation 3/22/18
Approve Mitigation (Automation Anywhere): Approved
Untrusted Search Path(1 flaw)
Associated Flaws by CWE ID:
Uncontrolled Search Path Element (CWE ID 427)(1 flaw)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
8633 Neutral - 1 aasilverlightinjector.e void BtnBuyNow_Click(object,
xe#10.2.1.0 System.EventArgs) 20%
Potential False Positive (Automation Anywhere): Full path is given (in this case, a URL)
Approve Mitigation (Automation Anywhere): Approved
Encapsulation(1 flaw)
Associated Flaws by CWE ID:
Deserialization of Untrusted Data (CWE ID 502)(1 flaw)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
39057 Neutral 12 - aaplugininstallation.e .../chromeextensionplugininstallation.cs
xe#11.1.0.0 419
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 64 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Specifics : Establish and maintain control over all of your inputs
Remaining Risk : none
Verification : None trusted path will not accepted by application
Approve Mitigation (Automation Anywhere): Verified and closed.
Information Leakage(48 flaws)
Associated Flaws by CWE ID:
Improper Restriction of XML External Entity Reference (CWE ID 611)(45 flaws)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
3489 Neutral 1 - automation.core.dll dev/.../baseobjects/aaarray.cs 103
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Unit tests and use of AASaferXMLDocument class to catch possible XXEExceptions.
Approve Mitigation (Automation Anywhere): Reviewed and approved.
33625 Neutral 2 - automation.core.dll dev/.../aadictionary.cs 136
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Used .Net 4.5.2 or up version and we set the DtdProcessing property is set to 'Prohibit' and
XmlResolver property is also set to 'null' .
Remaining Risk : none
Verification : AAE Client uses .net 4.6
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Used .Net 4.5.2 or up version and we set the DtdProcessing property is set to 'Prohibit' and
XmlResolver property is also set to 'null' .
Remaining Risk : none
Verification : AAE Client uses .net 4.6
Approve Mitigation (Automation Anywhere): Approved
4338 Neutral 3 - automation.core.dll dev/.../baseobjects/aalist.cs 177
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 65 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Unit tests and use of AASaferXMLDocument class to catch possible XXEExceptions.
Approve Mitigation (Automation Anywhere): Reviewed and approved.
9888 Neutral 4 - aaplayer.exe#12.3.0. dev/.../xml/aasaferxmldocument.cs 81
0/automation.generic
.dll
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
14531 Neutral 4 - automationeventwatc dev/.../xml/aasaferxmldocument.cs 113
her.exe#12.0.0.0/aut
omation.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
9893 Neutral 4 - automation.sso.dll/au dev/.../xml/aasaferxmldocument.cs 145
tomation.generic.dll
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : AAE requires .NET 4.6
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 66 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
6917 Neutral 4 - automation.common. dev/.../xml/aasaferxmldocument.cs 177
dll/automation.generi
c.dll
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Unit tests and use of AASaferXMLDocument class to catch possible XXEExceptions.
Approve Mitigation (Automation Anywhere): Reviewed and approved.
14927 Neutral 4 - automation.sso.dll/au dev/.../xml/aasaferxmldocument.cs 269
tomation.generic.dll
Mitigate by Design (Automation Anywhere): Promoted from Sandbox -
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Promoted from Sandbox - Approved
4185 Neutral 10 - automation.common. .../autologinconfiguration.cs 58
dll
Potential False Positive (Automation Anywhere): AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Approve Mitigation (Automation Anywhere): Approved
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 67 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
2585 Neutral 10 - automation.common. .../autologinconfiguration.cs 109
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Used .Net 4.5.2 or up version and we set the DtdProcessing property is set to 'Prohibit' and
XmlResolver property is also set to 'null' .
Remaining Risk : none
Verification : AAE Client uses .net 4.6
Approve Mitigation (Automation Anywhere): Approved
17056 Neutral 11 - automation.common. .../backupandrestoreoperations.cs 124
dll
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an XXEException
when XXE is encountered
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
2557 Neutral 16 - automation dev/.../commonconfiguration.cs 84
helpviewer.exe#11.0.
2.0/automation.util.dll
Potential False Positive (Automation Anywhere): AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Approve Mitigation (Automation Anywhere): Approved
1509 Neutral 20 - automation.sso.dll dev/.../cookieutil.cs 85
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Unit tests and use of AASaferXMLDocument class to catch possible XXEExceptions, as well
as exception handler cases in code to catch the XXEException(s).
Approve Mitigation (Automation Anywhere): Reviewed and approved. Followup Item: Confirm that
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 68 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
XXEException handling code is present to deal with possible exceptions when reading XML in the next
release.
1508 Neutral 20 - automation.sso.dll dev/.../cookieutil.cs 115
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Unit tests and use of AASaferXMLDocument class to catch possible XXEExceptions, as well
as exception handler cases in code to catch the XXEException(s).
Approve Mitigation (Automation Anywhere): Reviewed and approved. Followup Item: Confirm that
XXEException handling code is present to deal with possible exceptions when reading XML in the next
release.
6843 Neutral 25 - aaplugininstallation.e dev/.../flexsettingsreader.cs 99
xe#11.1.0.0
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Unit tests and use of AASaferXMLDocument class to catch possible XXEExceptions.
Approve Mitigation (Automation Anywhere): Reviewed and approved.
8793 Neutral 29 - aa.editorx.ui.dll .../frmsoapwebservicebuilduri.cs 398
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Unit tests and use of AASaferXMLDocument class to catch possible XXEExceptions, as well
as exception handler cases in code to catch the XXEException(s).
Approve Mitigation (Automation Anywhere): Reviewed and approved. Followup Item: Confirm that
XXEException handling code is present to deal with possible exceptions when reading XML in the next
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 69 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
release.
16999 Neutral 37 - automation.common. .../legacyproductconfiguration.cs 290
dll
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
13859 Neutral 47 - automation.fipsdata. .../reader/productconfiguration.cs 70
migration.exe#11.0.2
.0
Potential False Positive (Automation Anywhere): AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Approve Mitigation (Automation Anywhere): Approved
13858 Neutral 47 - automation.fipsdata. .../reader/productconfiguration.cs 159
migration.exe#11.0.2
.0
Potential False Positive (Automation Anywhere): AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Approve Mitigation (Automation Anywhere): Approved
3057 Neutral 48 - automation dev/.../scriptfile/property.cs 206
anywhere.exe#12.1.0
.0
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 70 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
3099 Neutral 48 - automation dev/.../scriptfile/property.cs 345
anywhere.exe#12.1.0
.0
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
3060 Neutral 48 - automation dev/.../scriptfile/property.cs 407
anywhere.exe#12.1.0
.0
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
1893 Neutral 49 - aaproxyserver.exe#1 dev/.../proxyserver.cs 954
1.0.2.0
Potential False Positive (Automation Anywhere): AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Approve Mitigation (Automation Anywhere): Approved
10031 Neutral 53 - automation.common. dev/.../common/routines.cs 137
dll
Potential False Positive (Automation Anywhere): AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Approve Mitigation (Automation Anywhere): Approved
10305 Neutral 57 - reportmanager.exe#1 dev/.../systemlogmigration.cs 82
1.0.2.0
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 71 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Potential False Positive (Automation Anywhere): AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Approve Mitigation (Automation Anywhere): Approved
13860 Neutral 59 - automation.fipsdata. .../triggermigrationservices.cs 49
migration.exe#11.0.2
.0
Potential False Positive (Automation Anywhere): AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Approve Mitigation (Automation Anywhere): Approved
1636 Neutral 62 - automation.common. dev/.../userconfiguration.cs 68
dll
Potential False Positive (Automation Anywhere): AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Approve Mitigation (Automation Anywhere): Approved
2559 Neutral 62 - automation.common. dev/.../userconfiguration.cs 104
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Used .Net 4.5.2 or up version and we set the DtdProcessing property is set to 'Prohibit' and
XmlResolver property is also set to 'null' .
Remaining Risk : none
Verification : AAE client uses .net 4.6
Approve Mitigation (Automation Anywhere): Approved
1585 Neutral 62 - automation.common. dev/.../userconfiguration.cs 161
dll
Potential False Positive (Automation Anywhere): AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 72 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Approve Mitigation (Automation Anywhere): Approved
2553 Neutral 62 - automation.common. dev/.../userconfiguration.cs 209
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Used .Net 4.5.2 or up version and we set the DtdProcessing property is set to 'Prohibit' and
XmlResolver property is also set to 'null' .
Remaining Risk : none
Verification : AAE client uses .net 4.6 framework
Approve Mitigation (Automation Anywhere): Approved
2545 Neutral 62 - automation.common. dev/.../userconfiguration.cs 270
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Used .Net 4.5.2 or up version and we set the DtdProcessing property is set to 'Prohibit' and
XmlResolver property is also set to 'null' .
Remaining Risk : NONE
Verification : AAE client uses .net 4.6
Approve Mitigation (Automation Anywhere): Approved
2579 Neutral 62 - automation.common. dev/.../userconfiguration.cs 308
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Used .Net 4.5.2 or up version and we set the DtdProcessing property is set to 'Prohibit' and
XmlResolver property is also set to 'null' .
Remaining Risk : NONE
Verification : AAE client uses .net 4.6
Approve Mitigation (Automation Anywhere): Approved
2566 Neutral 62 - automation.common. dev/.../userconfiguration.cs 354
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Used .Net 4.5.2 or up version and we set the DtdProcessing property is set to 'Prohibit' and
XmlResolver property is also set to 'null' .
Remaining Risk : none
Verification : AAE client uses .net 4.6
Approve Mitigation (Automation Anywhere): Approved
1665 Neutral 62 - automation.common. dev/.../userconfiguration.cs 479
dll
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 73 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Used .Net 4.5.2 or up version and we set the DtdProcessing property is set to 'Prohibit' and
XmlResolver property is also set to 'null' .
Remaining Risk : none
Verification : AAE Client uses .net 4.6
Approve Mitigation (Automation Anywhere): Approved
Approve Mitigation (Automation Anywhere): Approved
2550 Neutral 62 - automation.common. dev/.../userconfiguration.cs 725
dll
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Used .Net 4.5.2 or up version and we set the DtdProcessing property is set to 'Prohibit' and
XmlResolver property is also set to 'null' .
Remaining Risk : none
Verification : AAE client uses .net 4.6
Approve Mitigation (Automation Anywhere): Approved
21650 Neutral 64 - aaplayer.exe#12.3.0. dev/.../webservice/webservice.cs 368
0
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : MS .NET platform disables XXE by default in versions 4.5.2 +
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
26532 Neutral 64 - aaplayer.exe#12.3.0. dev/.../webservice/webservice.cs 619
0
Potential False Positive (Automation Anywhere): Used .Net 4.5.2 or up version and we set the
DtdProcessing property is set to 'Prohibit' and XmlResolver property is also set to 'null'
Approve Mitigation (Automation Anywhere): Approved
26531 Neutral 64 - aaplayer.exe#12.3.0. dev/.../webservice/webservice.cs 627
0
Potential False Positive (Automation Anywhere): Used .Net 4.5.2 or up version and we set the
DtdProcessing property is set to 'Prohibit' and XmlResolver property is also set to 'null' .
Approve Mitigation (Automation Anywhere): Approved
21652 Neutral 64 - aaplayer.exe#12.3.0. dev/.../webservice/webservice.cs 639
0
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 74 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Specifics : MS .NET platform disables XXE by default in versions 4.5.2 +
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
21648 Neutral 64 - aaplayer.exe#12.3.0. dev/.../webservice/webservice.cs 692
0
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : MS .NET platform disables XXE by default in versions 4.5.2 +
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
7516 Neutral 64 - aaplayer.exe#12.3.0. dev/.../webservice/webservice.cs 713
0
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Unit tests and use of AASaferXMLDocument class to catch possible XXEExceptions, as well
as exception handler cases in code to catch the XXEException(s).
Approve Mitigation (Automation Anywhere): Reviewed and approved. Followup Item: Confirm that
XXEException handling code is present to deal with possible exceptions when reading XML in the next
release.
6885 Neutral 68 - automation.fipsdata. dev/.../reader/xmlfilemanager.cs 32
migration.exe#11.0.2
.0
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Unit tests and use of AASaferXMLDocument class to catch possible XXEExceptions.
Approve Mitigation (Automation Anywhere): Reviewed and approved.
8808 Neutral 69 - automationeventwatc dev/.../common/xmllib.cs 216
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 75 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
her.exe#12.0.0.0/aut
omation.eventwatche
r.dll
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Unit tests and use of AASaferXMLDocument class to catch possible XXEExceptions, as well
as exception handler cases in code to catch the XXEException(s).
Approve Mitigation (Automation Anywhere): Reviewed and approved. Followup Item: Confirm that
XXEException handling code is present to deal with possible exceptions when reading XML in the next
release.
8804 Neutral 69 - automationeventwatc dev/.../common/xmllib.cs 298
her.exe#12.0.0.0/aut
omation.eventwatche
r.dll
Mitigate by Design (Automation Anywhere):
Technique : GP1 : Use libraries and frameworks that make it easier to avoid introducing weaknesses
Specifics : Use of .NET 4.6 sets the DTD processing default to DTDProhibited, which throws an
XXEException when XXE is encountered.
Remaining Risk : Minimal. As long as all .NET components using XMLReader are built with the 4.6 or
later version this defect cannot affect system security.
Verification : Unit tests and use of AASaferXMLDocument class to catch possible XXEExceptions, as well
as exception handler cases in code to catch the XXEException(s).
Approve Mitigation (Automation Anywhere): Reviewed and approved. Followup Item: Confirm that
XXEException handling code is present to deal with possible exceptions when reading XML in the next
release.
3297 Neutral 70 - automation.metabot. dev/.../xmlserializer.cs 115
engine.dll/automation
.util.dll
Potential False Positive (Automation Anywhere): AAE requires .NET 4.6
.NET 4.5.2+ by default creates safe versions of the XML parsers used in AAE.
Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 76 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Approve Mitigation (Automation Anywhere): Approved
Server-Side Request Forgery (SSRF) (CWE ID 918)(3 flaws)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
27334 Neutral 27 - aa.editorx.ui.dll dev/.../ocr/frmocr.cs 1086
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : only accepts image for download and we have implemented image extension validation
Remaining Risk : it is upto the customer what kind of website they want to capture using OCR
Verification :
validated extensions of images only accepts given image extension in method below
Code PATH :\CodeRepo\automation.editor\AA.EditorX.UI\OCR\frmocr.cs
private bool validateOCROptions()
after image is downloaded it still verifies for the content of image if content is valid
private void setImageInPictureboxForURIOption()
Approve Mitigation (Automation Anywhere): Approved. It is image download section and we have
validation for image type and after download image content validation.
27329 Neutral 27 - aa.editorx.ui.dll dev/.../ocr/frmocr.cs 1836
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : only accepts image for download and we have implemented image extension validation
Remaining Risk : it is upto the customer what kind of website they want to capture using OCR
Verification : validated extensions of images only accepts given image extension in method below
Code PATH :\CodeRepo\automation.editor\AA.EditorX.UI\OCR\frmocr.cs
private void loadImageUrl()
after image is downloaded it still verifies for the content of image if content is valid
Approve Mitigation (Automation Anywhere): Approved. As it is download image link and it validates
the image extensions also after download its content type also getting verified.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 77 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
27330 Neutral 63 - aa.editorx.ui.dll dev/.../web services/webservice.cs 553
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : will accept url for traditional webservice
Remaining Risk : it is upto the customer what kind of webservice they want to call
Verification : will only download xml string data given by webservice
CODE Path';D:\CodeRepo\automation.editor\AA.EditorX.UI\Web Services\Webservice.cs
private string playTraditionalWebService()
Approve Mitigation (Automation Anywhere): Approved. Validation is present to only download XML
stream data provided by webservice.
Insufficient Input Validation(4 flaws)
Associated Flaws by CWE ID:
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE ID
90)(3 flaws)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
9897 Neutral 5 - aa.editorx.ui.dll dev/.../adbrowse.cs 239
Potential False Positive (Automation Anywhere): False positive, reported on client-side component.
This is a bot Command that should allow the user to control the LDAP query, however it does not allow
them to escalate any privileges beyond what they already have. The client-side command is simply part
of an automation mechanism and validating input is the responsibility of the server.
Approve Mitigation (Automation Anywhere): Approved
5815 Neutral 6 - automation dev/.../view/adhelper.cs 25
anywhere.exe#12.1.0
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Perform validation on the username string to assure that there are no invalid characters which
could be part of an LDAP injection attack.
Remaining Risk : Low. Wildcards and non-conforming strings are not passed to the call, so chances of
compromise via this path are low..
Verification : Unit tests with crafted malicious strings, tests with non-conforming formats and content.
Fuzzing checks.
Approve Mitigation (Automation Anywhere): Reviewed and approved.
5814 Neutral 6 - automation dev/.../view/adhelper.cs 30
anywhere.exe#12.1.0
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 78 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Perform validation on the username string to assure that there are no invalid characters which
could be part of an LDAP injection attack.
Remaining Risk : Low. Wildcards and non-conforming strings are not passed to the call, so chances of
compromise via this path are low..
Verification : Unit tests with crafted malicious strings, tests with non-conforming formats and content.
Fuzzing checks.
Approve Mitigation (Automation Anywhere): Reviewed and approved.
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID
470)(1 flaw)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
10129 Likely 7 - aaplayer.exe#12.3.0. dev/.../assemblyloader.cs 43
0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All user input to this functionality is trusted. Using the input to control assembly loading is the
intended design (used for object cloning during automation). The user cannot load anything that is not
already within their trust boundary.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
Cryptographic Issues(20 flaws)
Associated Flaws by CWE ID:
Cleartext Storage of Sensitive Information in Memory (CWE ID 316)(11 flaws)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
16934 Neutral 39 - aametabotdesigner.e dev/.../metabotview.cs 757
xe#12.0.0.0
Potential False Positive (Automation Anywhere): False positive. No secrets or passwords being
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 79 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
handled.
Approve Mitigation (Automation Anywhere): Approved
Approve Mitigation (Automation Anywhere): Approved
33513 Neutral 39 - aametabotdesigner.e dev/.../metabotview.cs 1342
xe#12.0.0.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Value stored is not critical info
Remaining Risk : NONe
Verification : value in the variable is not critical info
Approve Mitigation (Automation Anywhere): Approved
16937 Neutral 39 - aametabotdesigner.e dev/.../metabotview.cs 1860
xe#12.0.0.0
Potential False Positive (Automation Anywhere): False positive. No secrets or passwords being
handled.
Approve Mitigation (Automation Anywhere): Approved
Approve Mitigation (Automation Anywhere): Approved
16935 Neutral 39 - aametabotdesigner.e dev/.../metabotview.cs 2129
xe#12.0.0.0
Potential False Positive (Automation Anywhere): False positive. No secrets or passwords being
handled.
Approve Mitigation (Automation Anywhere): Approved
Approve Mitigation (Automation Anywhere): Approved
10025 Neutral 61 - automation.sso.dll dev/.../automation.sso/urls.cs 46
Potential False Positive (Automation Anywhere): False Positive - This field does not contain any
hardcoded passwords
Approve Mitigation (Automation Anywhere): False positives confirmed
30996 Neutral - 3 automation.plugins.p void !ctor(io.RandomAccessRead, string,
dfbox.dll/pdfbox.dll java.io.InputStream, string) 88%
Potential False Positive (Automation Anywhere): this is false positive as it comes from third party dll
Approve Mitigation (Automation Anywhere): Approved
30997 Neutral - 4 automation.plugins.p void !ctor(string) 73%
dfbox.dll/pdfbox.dll
Potential False Positive (Automation Anywhere): this is false positive as it comes from third party dll
Approve Mitigation (Automation Anywhere): Approved
30998 Neutral - 5 automation.plugins.p void !ctor(string, string,
dfbox.dll/pdfbox.dll AccessPermission) 66%
Potential False Positive (Automation Anywhere): this is false positive as it comes from third party dll
Approve Mitigation (Automation Anywhere): Approved
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 80 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
30999 Neutral - 5 automation.plugins.p void !ctor(string, string,
dfbox.dll/pdfbox.dll AccessPermission) 77%
Potential False Positive (Automation Anywhere): this is false positive as it comes from third party dll
Approve Mitigation (Automation Anywhere): Approved
31000 Neutral - 5 automation.plugins.p void setOwnerPassword(string) 25%
dfbox.dll/pdfbox.dll
Potential False Positive (Automation Anywhere): this is a false positive as it comes from third party
dll
Approve Mitigation (Automation Anywhere): Approved
38837 Neutral 66 - automation.core.dll dev/.../basexml/xmlcommand.cs 111
Potential False Positive (Automation Anywhere): The variable expWord is not having any sensitive
information or any password
Approve Mitigation (Automation Anywhere): Approved
Insufficient Entropy (CWE ID 331)(1 flaw)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
14575 Unlikely 43 - aaplayer.exe#12.3.0. dev/.../palettequantizer.cs 66
0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : All input does not serve a security critical function.
Remaining Risk : None
Verification : Code review
Approve Mitigation (Automation Anywhere): Approved
Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)(8 flaws)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
1895 Likely 8 - aaproxyserver.exe#1 dev/.../rfc6455/authentication.cs 67
1.0.2.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Older versions of AAE used these algorithms and they are purposely included in this release
for backwards compatibility *only*. No new features use these algorithms.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 81 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Remaining Risk : Care must be taken to not use these classes for new features in the future. This has
been communicated to engineering via clearly documented crypto standards.
Verification : Code review performed by engineers to confirm non-usage.
Approve Mitigation (Automation Anywhere): Approved
1892 Likely 9 - aaproxyserver.exe#1 dev/.../hybi00/authentication.cs 102
1.0.2.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Older versions of AAE used these algorithms and they are purposely included in this release
for backwards compatibility *only*. No new features use these algorithms.
Remaining Risk : Care must be taken to not use these classes for new features in the future. This has
been communicated to engineering via clearly documented crypto standards.
Verification : Code review performed by engineers to confirm non-usage.
Approve Mitigation (Automation Anywhere): Approved
6895 Likely 13 - automation.fipsdata. .../clientconfigurationxmlsettings.cs 55
migration.exe#11.0.2
.0
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Older versions of AAE used these algorithms and they are purposely included in this release
for backwards compatibility *only*. No new features use these algorithms.
Remaining Risk : Care must be taken to not use these classes for new features in the future. This has
been communicated to engineering via clearly documented crypto standards.
Verification : Code review performed by engineers to confirm non-usage.
Approve Mitigation (Automation Anywhere): Approved
4753 Likely 21 - automation.generic.dl dev/.../des/descrypto.cs 26
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Older versions of AAE used these algorithms and they are purposely included in this release
for backwards compatibility *only*. No new features use these algorithms.
Remaining Risk : Care must be taken to not use these classes for new features in the future. This has
been communicated to engineering via clearly documented crypto standards.
Verification : Code review performed by engineers to confirm non-usage.
Approve Mitigation (Automation Anywhere): Approved
4754 Likely 21 - automation.generic.dl dev/.../des/descrypto.cs 26
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Older versions of AAE used these algorithms and they are purposely included in this release
for backwards compatibility *only*. No new features use these algorithms.
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 82 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Remaining Risk : Care must be taken to not use these classes for new features in the future. This has
been communicated to engineering via clearly documented crypto standards.
Verification : Code review performed by engineers to confirm non-usage.
Approve Mitigation (Automation Anywhere): Approved
10176 Likely 60 - automation.generic.dl .../trippledescryptowithhash.cs 131
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Older versions of AAE used these algorithms and they are purposely included in this release
for backwards compatibility *only*. No new features use these algorithms.
Remaining Risk : Care must be taken to not use these classes for new features in the future. This has
been communicated to engineering via clearly documented crypto standards.
Verification : Code review performed by engineers to confirm non-usage.
Approve Mitigation (Automation Anywhere): Approved
10177 Likely 60 - automation.generic.dl .../trippledescryptowithhash.cs 136
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Older versions of AAE used these algorithms and they are purposely included in this release
for backwards compatibility *only*. No new features use these algorithms.
Remaining Risk : Care must be taken to not use these classes for new features in the future. This has
been communicated to engineering via clearly documented crypto standards.
Verification : Code review performed by engineers to confirm non-usage.
Approve Mitigation (Automation Anywhere): Approved
10175 Likely 60 - automation.generic.dl .../trippledescryptowithhash.cs 136
l
Mitigate by Design (Automation Anywhere):
Technique : M1 : Establish and maintain control over all of your inputs
Specifics : Older versions of AAE used these algorithms and they are purposely included in this release
for backwards compatibility *only*. No new features use these algorithms.
Remaining Risk : Care must be taken to not use these classes for new features in the future. This has
been communicated to engineering via clearly documented crypto standards.
Verification : Code review performed by engineers to confirm non-usage.
Approve Mitigation (Automation Anywhere): Approved
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 83 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Low (6 flaws)
Information Leakage(6 flaws)
Associated Flaws by CWE ID:
Information Exposure Through Sent Data (CWE ID 201)(6 flaws)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
6945 Unlikely 23 - automationeventwatc dev/.../emailparser.cs 446
her.exe#12.0.0.0
Mitigate by Design (Automation Anywhere):
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : All data mentioned in flaw is purposely transmitted, this is by design. This does not violate
policy or confidentiality.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
6942 Unlikely 23 - automationeventwatc dev/.../emailparser.cs 1049
her.exe#12.0.0.0
Mitigate by Design (Automation Anywhere):
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : All data mentioned in flaw is purposely transmitted, this is by design. This does not violate
policy or confidentiality.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
Mitigate by Design (Automation Anywhere): Promoted from Sandbox -
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : Component is operation by design. The transfer of the sensitive data is intended and it does
not violate the application security policy.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Promoted from Sandbox - Approved
4581 Unlikely 28 - reportmanager.exe#1 dev/.../report/frmreports.cs 2421
1.0.2.0
Mitigate by Design (Automation Anywhere):
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : Component is operation by design. The transfer of the sensitive data is intended and it does
not violate the application security policy.
Remaining Risk : Little to none
Verification : Design review
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 84 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Approve Mitigation (Automation Anywhere): Approved
13706 Unlikely 32 - aaproxyserver.exe#1 dev/.../handlers/handler.cs 121
1.0.2.0
Mitigate by Design (Automation Anywhere):
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : Component is operation by design. The transfer of the sensitive data is intended and it does
not violate the application security policy.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
6943 Unlikely 34 - automationeventwatc dev/.../email classes/imapclass.cs 460
her.exe#12.0.0.0
Mitigate by Design (Automation Anywhere):
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : All data mentioned in flaw is purposely transmitted, this is by design. This does not violate
policy or confidentiality.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
10012 Unlikely 49 - aaproxyserver.exe#1 dev/.../proxyserver.cs 309
1.0.2.0
Mitigate by Design (Automation Anywhere):
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : Component is operation by design. The transfer of the sensitive data is intended and it does
not violate the application security policy.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 85 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Appendix C: Proposed Mitigated Flaws (by Automation Anywhere)
NOTE: Except in circumstances where the Customer has purchased Veracode’s Mitigation Proposal Review Solution, Veracode does
not review the mitigation strategy described below and is not responsible for its contents or the accuracy of any statements provided.
Low (5 flaws)
Information Leakage(5 flaws)
Associated Flaws by CWE ID:
Information Exposure Through Sent Data (CWE ID 201)(5 flaws)
Instances found via Static Scan
Flaw Id Exploitability Module # Class # Module Location
6947 Unlikely 34 - automationeventwatc dev/.../email classes/imapclass.cs 119
her.exe#12.0.0.0
Mitigate by Design (Automation Anywhere):
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : All data mentioned in flaw is purposely transmitted, this is by design. This does not violate
policy or confidentiality.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
6948 Unlikely 34 - automationeventwatc dev/.../email classes/imapclass.cs 430
her.exe#12.0.0.0
Mitigate by Design (Automation Anywhere):
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : All data mentioned in flaw is purposely transmitted, this is by design. This does not violate
policy or confidentiality.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
6946 Unlikely 45 - automationeventwatc dev/.../pop3client.cs 131
her.exe#12.0.0.0
Mitigate by Design (Automation Anywhere):
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : All data mentioned in flaw is purposely transmitted, this is by design. This does not violate
policy or confidentiality.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
6939 Unlikely 45 - automationeventwatc dev/.../pop3client.cs 510
her.exe#12.0.0.0
Mitigate by Design (Automation Anywhere):
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 86 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Flaw Id Exploitability Module # Class # Module Location
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : All data mentioned in flaw is purposely transmitted, this is by design. This does not violate
policy or confidentiality.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
6940 Unlikely 45 - automationeventwatc dev/.../pop3client.cs 538
her.exe#12.0.0.0
Mitigate by Design (Automation Anywhere):
Technique : M2 : Establish and maintain control over all of your outputs
Specifics : All data mentioned in flaw is purposely transmitted, this is by design. This does not violate
policy or confidentiality.
Remaining Risk : Little to none
Verification : Design review
Approve Mitigation (Automation Anywhere): Approved
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 87 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Appendix D: Referenced Source Files
Id Filename Path
1 aaarray.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.core/automation.core/baseobjects/
2 aadictionary.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.core/automation.core/baseobjects/
3 aalist.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.core/automation.core/baseobjects/
4 aasaferxmldocument.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.generic/automation.generic/xml/
5 adbrowse.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.editor/aa.editorx.ui/activedirectory/
6 adhelper.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/aa.main/toolsoptions/view/
7 assemblyloader.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.player/automation.player/commands/smart adaptor/
8 authentication.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.player/automation.proxyserver/crossbrowser/handlers/w
ebsocket/rfc6455/
9 authentication.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.player/automation.proxyserver/crossbrowser/handlers/w
ebsocket/hybi00/
10 autologinconfiguration.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/common/configuration/
11 backupandrestoreoperations.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/common/configuration/applicationsettings/
12 chromeextensionplugininstallati dev/workspace/11.3-series_11.3.4-
on.cs series_11.3.4/automation.main/aa.plugininstallation/plugininstallation/chrome/
13 clientconfigurationxmlsettings.c dev/workspace/11.3-series_11.3.4-
s series_11.3.4/automation.main/automation.fipsdata.migration/reader/
14 clientserverpropertiesextension dev/workspace/11.3-series_11.3.4-
.cs series_11.3.4/automation.cr.clientsdk/automation.cr.clientsdk/automation.clientcon
figurationservice/configuration/
15 cloudfeatureconfiguration.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/automation.utils/configuration/
16 commonconfiguration.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/automation.utils/configuration/
17 commonmethods.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.player/automation.player/common files/
18 commonmethods.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/automation.utils/
19 commonmethods.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/automation.client.servercommunication/common/
20 cookieutil.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/automation.sso/
21 descrypto.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.generic/automation.generic/automation.generic.security/
encryption/des/
22 directoryoperations.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.generic/automation.generic/io/impl/
23 emailparser.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.services/automation.eventwatcher.app/event/email
classes/
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 88 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Id Filename Path
24 fileoperations.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.generic/automation.generic/io/impl/
25 flexsettingsreader.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/aa.plugininstallation/plugininstallation/flexplugininst
allation/
26 frmdownloadhelpfile.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/aa.main/helpfile/
27 frmocr.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.editor/aa.editorx.ui/ocr/
28 frmreports.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/reportmanager/report/
29 frmsoapwebservicebuilduri.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.editor/aa.editorx.ui/web services/
30 globalhook.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/automation.recorder/aastandardrecorder/
31 globalhook.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/aa.main/normalrecorder/commonfiles/
32 handler.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.player/automation.proxyserver/crossbrowser/handlers/
33 ieextractmultipledata.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.editor/aa.editorx.ui/webautomation/commonfiles/
34 imapclass.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.services/automation.eventwatcher.app/event/email
classes/
35 jobfileoperation.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/automation.client.deploymentservice/deploymentm
anager/operations/download/
36 jsonserializer.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.cr.clientsdk/automation.cr.clientsdk/automation.cr.clients
dk/
37 legacyproductconfiguration.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/common/configuration/applicationsettings/
38 logconfigfilemanager.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.generic/automation.generic/logging/
39 metabotview.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/aametabotdesigner/usercontrols/
40 notificationcontext.cs dev/workspace/11.3-series_11.3.4-series_11.3.4/automation.client/notification/
41 onlinehelp.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.services/automation.helpviewer/zendeskservice/
42 packageoperations.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.generic/automation.generic/io/impl/
43 palettequantizer.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.player/automation.player/commands/application
commands/pdfintegration/pixelformatconversion/
44 plugincommon.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/aa.plugininstallation/plugininstallation/
45 pop3client.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.services/automation.eventwatcher.app/event/email
classes/
46 processinvoker.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.generic/automation.generic/processinvoker/
47 productconfiguration.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/automation.fipsdata.migration/reader/
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 89 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Id Filename Path
48 property.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/aa.main/scriptfile/
49 proxyserver.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.player/automation.proxyserver/
50 readwritetaskschedules.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/schedulerlibrary/schedulerlogic/
51 repositoryoperation.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.player/automation.player/features/webcr/
52 routines.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/schedulerlibrary/schedulerlogic/
53 routines.cs dev/workspace/11.3-series_11.3.4-series_11.3.4/automation.client/common/
54 serializedeserialize.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.player/automation.player/commands/mouseandkeystrok
e/common file/
55 smartrecorderbase.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/commands.common/smartrecorder/commonfiles/
56 soaprequestbody.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.editor/aa.editorx.ui/web services/
57 systemlogmigration.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/reportmanager/systemlogreport/
58 tasklogwatcher.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/automation.client.deploymentservice/taskexecutio
nlogwatcher/
59 triggermigrationservices.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/automation.fipsdata.migration/services/
60 trippledescryptowithhash.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.generic/automation.generic/automation.generic.security/
encryption/trippledes/
61 urls.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/automation.sso/
62 userconfiguration.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/common/configuration/
63 webservice.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.editor/aa.editorx.ui/web services/
64 webservice.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.player/automation.player/commands/webservice/
65 winapiwrapper.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.generic/automation.legacy.nativeapi/
66 xmlcommand.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.core/automation.core/basexml/
67 xmlconfiguration.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.generic/automation.generic/config/xmlconfig/
68 xmlfilemanager.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.main/automation.fipsdata.migration/reader/
69 xmllib.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/automation.eventwatcher/common/
70 xmlserializer.cs dev/workspace/11.3-series_11.3.4-
series_11.3.4/automation.client/automation.utils/serialization/
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 90 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Appendix E: Referenced Classpaths
Id Path
1 aasilverlightinjector_exe.Automation.SilverlightInjector.LicenseValidationDialog
2 aasilverlightinjector_exe.Mono.Options.ArgumentSource
3 pdfbox_dll.org.apache.pdfbox.pdfparser.COSParser
4 pdfbox_dll.org.apache.pdfbox.pdmodel.encryption.StandardDecryptionMaterial
5 pdfbox_dll.org.apache.pdfbox.pdmodel.encryption.StandardProtectionPolicy
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 91 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
Veracode Detailed Report prepared for Automation Anywhere – Dec 5, 2019
Appendix F: Dynamic Flaw Inventory
Rescan Status Number of Flaws
All 0
New 0
Open and Reopened 0
Cannot Reproduce 0
Fixed 0
© 2019 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 92 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com
You might also like
- Best Practices For Case Studies in Construction Engineering and Management ResearchNo ratings yetBest Practices For Case Studies in Construction Engineering and Management Research14 pages
- Application Security Report As of 7 Mar 2021No ratings yetApplication Security Report As of 7 Mar 202145 pages
- JLL Business Parks - Rising To The Challenge 2014No ratings yetJLL Business Parks - Rising To The Challenge 201424 pages
- Docu92034 - Dell EMC GeoDrive 2.0 User Guide PDFNo ratings yetDocu92034 - Dell EMC GeoDrive 2.0 User Guide PDF96 pages
- Veracode Manual Penetration Testing DatasheetNo ratings yetVeracode Manual Penetration Testing Datasheet2 pages
- Veracode RPA+BI DetailedReport A2019 6 Mar 2021 Patch Build 8122No ratings yetVeracode RPA+BI DetailedReport A2019 6 Mar 2021 Patch Build 8122182 pages
- 19RO02 RSS - Open Elective - Syllabus With CO PO MappingNo ratings yet19RO02 RSS - Open Elective - Syllabus With CO PO Mapping2 pages
- Designated Engineering Representative (DER) HandbookNo ratings yetDesignated Engineering Representative (DER) Handbook66 pages
- Commissioned Community Radio Stations With Valid Gopa As On 01.02.2023No ratings yetCommissioned Community Radio Stations With Valid Gopa As On 01.02.20238 pages
- European Aviation Safety Agency: Bird Population Trends and Their Impact On Aviation Safety 1999-2008No ratings yetEuropean Aviation Safety Agency: Bird Population Trends and Their Impact On Aviation Safety 1999-200824 pages
- Mohammad Jonayed Tanjim: Career ObjectiveNo ratings yetMohammad Jonayed Tanjim: Career Objective2 pages
- UTech, Ja - Summary of Undergraduate Courses of StudyNo ratings yetUTech, Ja - Summary of Undergraduate Courses of Study28 pages
- Module 2 Lab Manual 4 Risk Assessment and Treatment - Answer - TemplateNo ratings yetModule 2 Lab Manual 4 Risk Assessment and Treatment - Answer - Template19 pages
- FERC Opinion Regarding Louisiana Public Service Commission v. System Energy ResourcesNo ratings yetFERC Opinion Regarding Louisiana Public Service Commission v. System Energy Resources165 pages
- Professional Development Opportunities #47 in Educational Technology and Education, May 16 To December 2022, Clayton R. WrightNo ratings yetProfessional Development Opportunities #47 in Educational Technology and Education, May 16 To December 2022, Clayton R. Wright183 pages
- Timebanking Finalreport v02 Buku Laporan AkhirNo ratings yetTimebanking Finalreport v02 Buku Laporan Akhir108 pages
- DO Qualification Kit: Polyspace Bug Finder Tool Qualification PlanNo ratings yetDO Qualification Kit: Polyspace Bug Finder Tool Qualification Plan35 pages
- Lesson 5 - System and Application SoftwareNo ratings yetLesson 5 - System and Application Software30 pages
- Curriculum Syllabus 2020 Bca Data ScienceNo ratings yetCurriculum Syllabus 2020 Bca Data Science83 pages
- Davrados 2023 Obligations II Outline - LZNo ratings yetDavrados 2023 Obligations II Outline - LZ68 pages
- The Complete Guide To Building A Remote Global Tea Me BookNo ratings yetThe Complete Guide To Building A Remote Global Tea Me Book20 pages
- DetailedReport_LL-Kepler_-_WebUI_19_Aug_2024No ratings yetDetailedReport_LL-Kepler_-_WebUI_19_Aug_202419 pages
- Chapter 4 Quiz - Evidence7 PC4.1-PC4.4 Attempt ReviewNo ratings yetChapter 4 Quiz - Evidence7 PC4.1-PC4.4 Attempt Review1 page
- AWS API Gateway and S3 Integration (Encouraging The Correct Way) - by Sayed Imran - MediumNo ratings yetAWS API Gateway and S3 Integration (Encouraging The Correct Way) - by Sayed Imran - Medium26 pages
- Unit 2: Issues of Web Technology (4 HRS.)No ratings yetUnit 2: Issues of Web Technology (4 HRS.)22 pages
- Sat - 22.Pdf - Air Pollution Monitoring System Using IotNo ratings yetSat - 22.Pdf - Air Pollution Monitoring System Using Iot11 pages
- Webutil Configuration: 1, Downloading FilesNo ratings yetWebutil Configuration: 1, Downloading Files3 pages
- NT00337-EN-01 - Flair 23DM Modbus Protocol PDFNo ratings yetNT00337-EN-01 - Flair 23DM Modbus Protocol PDF32 pages
- Tribhuvan University: Institute of EngineeringNo ratings yetTribhuvan University: Institute of Engineering48 pages