[OFBIZ-12854] Improve use of RandomStringUtils where it's potentially used in an insecure way - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Minor
Resolution: Implemented
Affects Version/s: 18.12.09, 22.01.01
Fix Version/s: 22.01.01
Component/s: passport
Labels:
None

Sprint:
Bug Crush Event - 21/2/2015

Description

As reported globally for all ASF projects by Alessandro Albani, the passport component is using RandomStringUtils in a potentially insecure way.

This is related to CWE-338 and CVE-2019-16303 that don't concern OFBiz.

Actually the password generated by the passport component is not more insecure than the ofbiz password used OOTB in many places. But it's somehow hidden (automated generation) and it's easy to randomise it better, still using only alphanumeric chars as currently.

There are other uses of RandomStringUtils but they don't relate to passwords generation and are safely used.

Attachments

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Jacques Le Roux

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 12/Sep/23 09:13

Updated:: 12/Sep/23 09:33

Resolved:: 12/Sep/23 09:32