Hi, In /src/core/security,there is a dependency org.jasypt:jasypt:1.8 that calls the risk method.
CVE-2014-9970
The scope of this CVE affected version is [,1.9.2)
After further analysis, in this project, the main Api called is org.jasypt.digest.StandardByteDigester: matches(byte[],byte[])Z
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 2
it.geosolutions.geostore.core.security.password.GeoStoreDigestPasswordEncoder$1: isPasswordValid(java.lang.String,char[],java.lang.Object)Z /.m2/repository/org/springframework/ldap/spring-ldap-core/2.3.4.RELEASE/spring-ldap-core-2.3.4.RELEASE.jar
org.jasypt.digest.StandardByteDigester: matches(byte[],byte[])Z
Dependency tree--
[INFO] it.geosolutions.geostore:geostore-security:jar:2.0-SNAPSHOT
[INFO] +- commons-lang:commons-lang:jar:2.3:compile
[INFO] +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- commons-codec:commons-codec:jar:1.4:compile
[INFO] +- commons-dbcp:commons-dbcp:jar:1.2.2:compile
[INFO] | \- commons-pool:commons-pool:jar:1.3:compile
[INFO] +- commons-io:commons-io:jar:2.1:compile
[INFO] +- dom4j:dom4j:jar:1.6.1:compile
[INFO] | \- xml-apis:xml-apis:jar:1.0.b2:compile
[INFO] +- log4j:log4j:jar:1.2.17.norce:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.2:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.2:compile
[INFO] +- org.springframework:spring-aop:jar:5.3.18:test
[INFO] | +- org.springframework:spring-beans:jar:5.3.18:compile
[INFO] | \- org.springframework:spring-core:jar:5.3.18:compile
[INFO] | \- org.springframework:spring-jcl:jar:5.3.18:compile
[INFO] +- org.springframework:spring-context:jar:5.3.18:compile
[INFO] | \- org.springframework:spring-expression:jar:5.3.18:compile
[INFO] +- org.springframework.security:spring-security-core:jar:5.3.10.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-crypto:jar:5.3.10.RELEASE:compile
[INFO] +- org.jasypt:jasypt:jar:1.8:compile
[INFO] +- org.acegisecurity:acegi-security-tiger:jar:1.0.7:compile
[INFO] | \- org.acegisecurity:acegi-security:jar:1.0.7:compile
[INFO] | +- org.springframework:spring-remoting:jar:1.2.9:compile
[INFO] | +- org.springframework:spring-jdbc:jar:5.3.18:compile
[INFO] | +- org.springframework:spring-support:jar:1.2.9:runtime
[INFO] | \- oro:oro:jar:2.0.8:compile
[INFO] +- org.springframework.security:spring-security-ldap:jar:5.3.10.RELEASE:compile
[INFO] | +- org.springframework.ldap:spring-ldap-core:jar:2.3.4.RELEASE:compile
[INFO] | \- org.springframework:spring-tx:jar:5.3.18:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.7.0:compile
[INFO] | \- commons-logging:commons-logging:jar:1.0.3:compile
[INFO] +- jdom:jdom:jar:1.0:compile
[INFO] +- junit:junit:jar:4.12:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- net.sf.json-lib:json-lib:jar:jdk15:2.4:compile
[INFO] | \- net.sf.ezmorph:ezmorph:jar:1.0.6:compile
[INFO] \- it.geosolutions.geostore:geostore-model:jar:2.0-SNAPSHOT:compile
[INFO] +- javax.xml.bind:jaxb-api:jar:2.1:compile
[INFO] | +- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] | \- javax.activation:activation:jar:1.1:compile
[INFO] \- com.sun.xml.bind:jaxb-impl:jar:2.1.2:compile
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In /src/core/security,there is a dependency org.jasypt:jasypt:1.8 that calls the risk method.
CVE-2014-9970
The scope of this CVE affected version is [,1.9.2)
After further analysis, in this project, the main Api called is org.jasypt.digest.StandardByteDigester: matches(byte[],byte[])Z
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 2
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.