You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "phoebe chen (Jira)" <ji...@apache.org> on 2022/07/27 14:13:00 UTC

[jira] [Created] (COMMONSSITE-160) Apache Commons Net is vulnerable to Information Disclosure - SRCCLR-SID-3636

phoebe chen created COMMONSSITE-160:
---------------------------------------

             Summary: Apache Commons Net is vulnerable to Information Disclosure - SRCCLR-SID-3636
                 Key: COMMONSSITE-160
                 URL: https://issues.apache.org/jira/browse/COMMONSSITE-160
             Project: Apache Commons All
          Issue Type: Improvement
            Reporter: phoebe chen


Based on [SRCCLR-SID-3636|https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-3636/summary], 
commons-net is vulnerable to information disclosure. The vulnerability is possible because `newStringUtf8()` in Base64.java does not prevent the storage of sensitive data in a String object which would not be deleted until the JVM performs garbage collection. There is a chance for an attacker to collect sensitive information by dumping the memory when the application has crashed .

Would you please review this security issue from Veracode?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)