search

Adobe-Consulting-Services / acs-aem-commons

http://adobe-consulting-services.github.io/acs-aem-commons/
Apache License 2.0
453 stars 600 forks source link

Information Exposure Through Sent Data #1135

Closed LambaSwati closed 7 years ago

LambaSwati commented 7 years ago

We are using acs-aem-commons-3.9.0 bundle in our project. According to Veracode security scan Report run on our project,

Description Sensitive information may be exposed as a result of outbound network connections made by the application. This can manifest in a couple of different ways. In C/C++ applications, sometimes the developer fails to zero out a buffer before populating it with data. This can cause information leakage if, for example, the buffer contains a data structure for which only certain fields were populated. The uninitialized fields would contain whatever data is present at that memory location. Sensitive information from previously allocated variables could then be leaked when the buffer is sent over the network. Mobile applications may also transmit sensitive information such as email or SMS messages, address book entries, GPS location data, and anything else that can be accessed by the mobile API. This behavior is common in mobile spyware applications designed to exfiltrate data to a listening post or other data collection point. This flaw is categorized as low severity because it only impacts confidentiality, not integrity or availability. However, in the context of a mobile application, the significance of an information leak may be much greater, especially if misaligned with user expectations or data privacy policies. Instances found via Static Scan Flaw Id Module # Class # Module Location Fix By 51 4 - JS files within acsaem-commonscontent-3.9.0.zip /jcr_root/.../clientlibs/js/app.js 67 50 25 - JS files within acsaem-commonscontent-3.9.0.zip /.../tab-configuration.jsp 24 58 29 - JS files within acsaem-commonscontent-3.9.0.zip /.../version-compare.jsp 38

badvision commented 7 years ago

1) The jsps listed are not exposed to the public web if the customer has followed proper guidance from our security checklist. 2) There are over a dozen app.js files listed so without a complete path I cannot confirm or deny the issue reported in the JS. But then again, I kind of doubt that it is going to expose a flaw in the browser in the manner described.

Since this is marked with minor severity anyway, I nominate that we close this one. To quote an ancient Ferengi proverb: It would not be profitable to pursue this any further.

justinedelson commented 7 years ago

FWIW, neither tab-configuration.jsp nor version-compare.jsp make outbound network calls.