Google Git
Sign in
apache / sling-org-apache-sling-auth-form / e88381f96d2daf5d038290275ca7e67b5380574a
commite88381f96d2daf5d038290275ca7e67b5380574a[log] [tgz]
authorJonathan Leitschuh <Jonathan.Leitschuh@gmail.com>Fri Nov 18 22:46:00 2022 +0000
committerJonathan Leitschuh <Jonathan.Leitschuh@gmail.com>Fri Nov 18 22:46:00 2022 +0000
tree897e56490c73865cb632ea2d81830020406e6ff0
parent0040aac8a3a89a0cfc4727f2802bd560803c4c8a [diff]
vuln-fix: Temporary File Information Disclosure



This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>
1 file changed
tree: 897e56490c73865cb632ea2d81830020406e6ff0
  1. src/
  2. .gitignore
  3. bnd.bnd
  4. CODE_OF_CONDUCT.md
  5. CONTRIBUTING.md
  6. Jenkinsfile
  7. LICENSE
  8. pom.xml
  9. README.md
README.md

Apache Sling

Build Status Test Status Coverage Sonarcloud Status JavaDoc Maven Central auth License

Apache Sling Form Based Authentication Handler

Bundle implementing form based authentication with login and logout support. Authentication state is maintained in a Cookie or in an HTTP Session. The password is only submitted when first authenticating.

This module is part of the Apache Sling project. You can read more about this module on our documentation site.