Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Invalid
-
None
-
None
-
None
-
None
Description
Vulnerability Description: In “src/main/java/org/apache/sling/discovery/base/connectors/ping/TopologyRequestValidator.java” file the following code was written in
private String hash(String toHash)
method -
MessageDigest m = MessageDigest.getInstance("SHA-256");
The vulnerability is, using "SHA-256” as the argument to MessageDigest.getInstance method.
Reason it’s vulnerable: According to this, SHA256 can be broken.
Suggested Fix: SHA512 can be used instead
Feedback: Please select any of the options down below to help us get an idea about how you felt about the suggestion -
- Liked it and will make the suggested changes
- Liked it but happy with the existing version
- Didn’t find the suggestion helpful
Note: Tagging stefanegli as suggested by rombert in this pull request.