You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@doris.apache.org by 陈明雨 <mo...@163.com> on 2022/04/26 14:29:07 UTC

CVE-2022-23942: Apache Doris hardcoded cryptography initialization

Severity: moderate

Description
===============
Doris use hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure.


Mitigation
===============
Upgrade to 1.0.0[1] or higher will resolve this problem.

Credit:
===============
We would like to thanks to Dwi Siswanto<me...@dw1.io> for the report of this issue

[1] http://doris.incubator.apache.org/downloads/downloads.html

--

此致！Best Regards
陈明雨 Mingyu Chen

Email:
chenmingyu@apache.org