You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by 陈明雨 <mo...@163.com> on 2022/04/26 14:33:47 UTC
CVE-2022-23942: Apache Doris(incubating) hardcoded cryptography initialization
Severity: moderate
Description:
=============
Doris use hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure.
Mitigation:
=============
Upgrade to 1.0.0[1] or higher will resolve this problem.
Credit:
=============
We would like to thanks to Dwi Siswanto for the report of this issue
References:
=============
https://lists.apache.org/thread/com2dyzp3bn2rdrotry90q2zzord4tvt[1] http://doris.incubator.apache.org/downloads/downloads.html
--
此致!Best Regards
陈明雨 Mingyu Chen
Email:
chenmingyu@apache.org