https://bz.apache.org/bugzilla/show_bug.cgi?id=60700
Bug ID: 60700 Summary: Security: hardcoded password in class org.apache.poi.poifs.crypt.CryptoFunctions Product: POI Version: 3.15-FINAL Hardware: PC OS: All Status: NEW Severity: critical Priority: P2 Component: POIFS Assignee: dev@poi.apache.org Reporter: linianem...@qq.com Target Milestone: --- Use Fortify to scan POI 3.15 source code files, you will find a critical security issue for hardcoded password. In method org.apache.poi.poifs.crypt.CryptoFunctions.hashPassword(String, HashAlgorithm, byte[], int, boolean): // If no password was given, use the default if (password == null) { password = Decryptor.DEFAULT_PASSWORD; } Passwords should never be hardcoded and should generally be obfuscated and managed in an external source. Storing passwords in plaintext anywhere on the system allows anyone with sufficient permissions to read and potentially misuse the password. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org