Veracode security scan reported the following issue. Please help us to understand the issue. Thank you.
Attack Vector: java.lang.Math.random
Number of Modules Affected: 1
Description: Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().
Remediation: If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy.
Source: GifFrameLoader.java (line 1)
The issue is in this method:
private static Key getFrameSignature() {
// Some devices seem to have crypto bugs that throw exceptions when you create a new UUID.
// See #1510.
return new ObjectKey(Math.random());
}
Glide Version: 4.9.0
Veracode security scan reported the following issue. Please help us to understand the issue. Thank you.
Attack Vector: java.lang.Math.random
Number of Modules Affected: 1
Description: Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().
Remediation: If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy.
Source: GifFrameLoader.java (line 1)
The issue is in this method: private static Key getFrameSignature() { // Some devices seem to have crypto bugs that throw exceptions when you create a new UUID. // See #1510. return new ObjectKey(Math.random()); }