[ https://issues.apache.org/jira/browse/COMMONSSITE-160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
phoebe chen updated COMMONSSITE-160: ------------------------------------ Description: Based on [SRCCLR-SID-3636|https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-3636/summary], commons-net is vulnerable to information disclosure. The vulnerability is possible because `newStringUtf8()` in Base64.java does not prevent the storage of sensitive data in a String object which would not be deleted until the JVM performs garbage collection. There is a chance for an attacker to collect sensitive information by dumping the memory when the application has crashed . This is a security issue from Veracode. was: Based on [SRCCLR-SID-3636|https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-3636/summary], commons-net is vulnerable to information disclosure. The vulnerability is possible because `newStringUtf8()` in Base64.java does not prevent the storage of sensitive data in a String object which would not be deleted until the JVM performs garbage collection. There is a chance for an attacker to collect sensitive information by dumping the memory when the application has crashed . Would you please review this security issue from Veracode? > Apache Commons Net is vulnerable to Information Disclosure - SRCCLR-SID-3636 > ---------------------------------------------------------------------------- > > Key: COMMONSSITE-160 > URL: https://issues.apache.org/jira/browse/COMMONSSITE-160 > Project: Apache Commons All > Issue Type: Improvement > Reporter: phoebe chen > Priority: Major > > Based on > [SRCCLR-SID-3636|https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-3636/summary], > > commons-net is vulnerable to information disclosure. The vulnerability is > possible because `newStringUtf8()` in Base64.java does not prevent the > storage of sensitive data in a String object which would not be deleted until > the JVM performs garbage collection. There is a chance for an attacker to > collect sensitive information by dumping the memory when the application has > crashed . > This is a security issue from Veracode. -- This message was sent by Atlassian Jira (v8.20.10#820010)