[
https://issues.apache.org/jira/browse/OFBIZ-12854?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-12854.
-----------------------------------
Fix Version/s: 22.01.01
Resolution: Implemented
I crossed too much issues to consider 18.12 branch
> Improve use of RandomStringUtils where it's potentially used in an insecure
> way
> -------------------------------------------------------------------------------
>
> Key: OFBIZ-12854
> URL: https://issues.apache.org/jira/browse/OFBIZ-12854
> Project: OFBiz
> Issue Type: Improvement
> Components: passport
> Affects Versions: 22.01.01, 18.12.09
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Minor
> Fix For: 22.01.01
>
>
> As reported globally for all ASF projects by Alessandro Albani, the passport
> component is using RandomStringUtils in a potentially insecure way.
> This is related to CWE-338 and CVE-2019-16303 that don't concern OFBiz.
> Actually the password generated by the passport component is not more
> insecure than the ofbiz password used OOTB in many places. But it's somehow
> hidden (automated generation) and it's easy to randomise it better, still
> using only alphanumeric chars as currently.
> There are other uses of RandomStringUtils but they don't relate to passwords
> generation and are safely used.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
