You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2016/08/25 17:50:21 UTC

[jira] [Created] (CASSANDRA-12546) Privacy Violation

Eduardo Aguinaga created CASSANDRA-12546:
--------------------------------------------

             Summary: Privacy Violation
                 Key: CASSANDRA-12546
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12546
             Project: Cassandra
          Issue Type: Sub-task
            Reporter: Eduardo Aguinaga


Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.

Issue:
In the file DigestMismatchException.java on line 30 the method DigestMismatchException() mishandles sensitive information. Sensitive information should be handled carefully to avoid divulging it to unauthorized parties.

{code:java}
DigestMismatchException.java, lines 28-34:
28 public DigestMismatchException(DecoratedKey key, ByteBuffer digest1, ByteBuffer digest2)
29 {
30     super(String.format("Mismatch for key %s (%s vs %s)",
31                         key.toString(),
32                         ByteBufferUtil.bytesToHex(digest1),
33                         ByteBufferUtil.bytesToHex(digest2)));
34 }
{code} 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)