[GitHub] [commons-lang] JLLeitschuh commented on issue #459: (doc): Document public RandomStringUtils exploit

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[GitHub] [commons-lang] JLLeitschuh commented on issue #459: (doc): Document public RandomStringUtils exploit

GitBox
JLLeitschuh commented on issue #459: (doc): Document public RandomStringUtils exploit
URL: https://github.com/apache/commons-lang/pull/459#issuecomment-532721967
 
 
   @chtompki Because many people don't read the documentation. Especially on the top of classes.
   
   I've found this class of vulnerability in other places because of similar issues around not reading the documentation:
   
   - https://nvd.nist.gov/vuln/detail/CVE-2019-11808?cpeVersion=2.2
   
   I've got 3 outstanding undisclosed vulnerabilities I've reported due to insecure RNG caused by this class.
   
   The problem is, in security, defaults really matter. Unfortunately, by defaulting to insecure RNG, this class is exposing a lot of projects to this vulnerability.
   
   Want some examples? Just GitHub search for "RandomStringUtils token" or "RandomStringUtils key" on github. You'll find tens of thousands of examples.
   
   https://github.com/search?q=RandomStringUtils+token&type=Code

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[hidden email]


With regards,
Apache Git Services