Jacques Le Roux created OFBIZ-12854:
---------------------------------------
Summary: Improve use of RandomStringUtils where it's potentially
used in an insecure way
Key: OFBIZ-12854
URL: https://issues.apache.org/jira/browse/OFBIZ-12854
Project: OFBiz
Issue Type: Improvement
Components: passport
Affects Versions: 22.01.01, 18.12.09
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
As reported globally for all ASF projects by Alessandro Albani, the passport
component is using RandomStringUtils in a potentially insecure way.
This is related to CWE-338 and CVE-2019-16303 that don't concern OFBiz.
Actually the password generated by the passport component is not more insecure
than the ofbiz password used OOTB in many places. But it's somehow hidden
(automated generation) and it's easy to randomise it better, still using only
alphanumeric chars as currently.
There are other uses of RandomStringUtils but they don't relate to passwords
generation and are safely used.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
