API7:2023 Security Misconfiguration - Misleading example

[ynvb]

Scenario #1 - This category shows a JNDI injection issue.
I don't believe a JNDI injection is a good example of a "security misconfiguration" issue. sure, sometimes there might be an unnecessary JNDI feature within some specific functionality, and it's really better to turn it off. However, in many other cases, the JNDI functionality is required, and cannot be simply removed. In this case, the best mitigation should follow the line of "Input Sanitization", Usage of "Parameterized Queries", and so on.
This is a much better example for Injection use cases (which is partially described in API10:2023 - Unsafe Consumption of APIs)

[ErezYalon]

I tend to agree. We should find a different scenario.
Let's open it to the community to come up with better examples.

[gavjl]

How about something CORS related? Already mentioned a couple of times in that entry too

[LaurentCB]

Are bad Keys Management based scenarios (for cloud services access for instance) in the scope ?