[jira] [Updated] (COMMONSSITE-160) Apache Commons Net is vulnerable to Information Disclosure - SRCCLR-SID-3636

phoebe chen (Jira) Wed, 27 Jul 2022 07:18:05 -0700


     [ 
https://issues.apache.org/jira/browse/COMMONSSITE-160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


phoebe chen updated COMMONSSITE-160:
------------------------------------
    Description: 
Based on 
[SRCCLR-SID-3636|https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-3636/summary],
 
commons-net is vulnerable to information disclosure. The vulnerability is 
possible because `newStringUtf8()` in Base64.java does not prevent the storage 
of sensitive data in a String object which would not be deleted until the JVM 
performs garbage collection. There is a chance for an attacker to collect 
sensitive information by dumping the memory when the application has crashed .

This is a security issue from Veracode.

  was:
Based on 
[SRCCLR-SID-3636|https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-3636/summary],
 
commons-net is vulnerable to information disclosure. The vulnerability is 
possible because `newStringUtf8()` in Base64.java does not prevent the storage 
of sensitive data in a String object which would not be deleted until the JVM 
performs garbage collection. There is a chance for an attacker to collect 
sensitive information by dumping the memory when the application has crashed .

Would you please review this security issue from Veracode?


> Apache Commons Net is vulnerable to Information Disclosure - SRCCLR-SID-3636
> ----------------------------------------------------------------------------
>
>                 Key: COMMONSSITE-160
>                 URL: https://issues.apache.org/jira/browse/COMMONSSITE-160
>             Project: Apache Commons All
>          Issue Type: Improvement
>            Reporter: phoebe chen
>            Priority: Major
>
> Based on 
> [SRCCLR-SID-3636|https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-3636/summary],
>  
> commons-net is vulnerable to information disclosure. The vulnerability is 
> possible because `newStringUtf8()` in Base64.java does not prevent the 
> storage of sensitive data in a String object which would not be deleted until 
> the JVM performs garbage collection. There is a chance for an attacker to 
> collect sensitive information by dumping the memory when the application has 
> crashed .
> This is a security issue from Veracode.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (COMMONSSITE-160) Apache Commons Net is vulnerable to Information Disclosure - SRCCLR-SID-3636

Reply via email to