[
https://issues.apache.org/jira/browse/CB-12447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15861750#comment-15861750
]
Kerri Shotts commented on CB-12447:
-----------------------------------
I can find no instance of this particular method in core Cordova code. If you
are using plugins, it may be possible a plugin has a potential vulnerability,
but you would need to report the vulnerability to the plugin in question.
[~sahilgoyal]: we appreciate the reporting of security issues, but if you are
going to continue posting reports found by Veracode, please provide more
information with the reports (as [~jcesarmobile] has asked in CB-12441), and
verify that the problem isn't with a third-party plugin first.
Closing as invalid for now.
> Inadequate Encryption Strength
> ------------------------------
>
> Key: CB-12447
> URL: https://issues.apache.org/jira/browse/CB-12447
> Project: Apache Cordova
> Issue Type: Bug
> Reporter: Sahil
>
> We are using Cordova for our android hybrid app and following is the result
> for the VARACODE static scan
> Attack Vector: javax.crypto.spec.PBEKeySpec.!operator_javanewinit
> Description: This call to
> javax.crypto.spec.PBEKeySpec.!operator_javanewinit() uses fewer than 1000
> iterations for PBE key generation. RFC 2898 recommends at least 1000
> iterations because a higher iteration count increases the computational cost
> of a dictionary attack.
> Remediation: Use a minimum of 1000 iterations.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
