You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2016/08/31 17:26:20 UTC
[jira] [Commented] (KARAF-4202) Password Management: Hardcoded
Password
[ https://issues.apache.org/jira/browse/KARAF-4202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15452817#comment-15452817 ]
Eduardo Aguinaga commented on KARAF-4202:
-----------------------------------------
There are no comments explaining why this was deemed an invalid issue. Looking at the source code it looks like an obvious hard coded password (not to mention it is being stored in a String object which is another finding).
> Password Management: Hardcoded Password
> ---------------------------------------
>
> Key: KARAF-4202
> URL: https://issues.apache.org/jira/browse/KARAF-4202
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
> Assignee: Christian Schneider
> Fix For: 4.1.0, 4.0.6
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application security scan on karaf source code.
> Analysis: Hardcoded passwords may compromise system security in a way that cannot be easily remedied.
> File: jaas/modules/src/main/java/org/apache/karaf/jaas/modules/syncope/SyncopeLoginModule.java
> Line: 47
> SyncopeLoginModule.java, lines 41-49:
> 41 public class SyncopeLoginModule extends AbstractKarafLoginModule {
> 42
> 43 private final static Logger LOGGER = LoggerFactory.getLogger(SyncopeLoginModule.class);
> 44
> 45 public final static String ADDRESS = "address";
> 46 public final static String ADMIN_USER = "admin.user"; // for the backing engine
> 47 public final static String ADMIN_PASSWORD = "admin.password"; // for the backing engine
> 48
> 49 private String address;
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)