Vulnerability detected for hardcoded password in ch/qos/logback/core/net/ssl/SSL.java (OWASP category : Reverse Engineering)

qos-ch / logback

The reliable, generic, fast and flexible logging framework for Java.

http://logback.qos.ch

Other

2.97k stars 1.28k forks source link

Vulnerability detected for hardcoded password in ch/qos/logback/core/net/ssl/SSL.java (OWASP category : Reverse Engineering) #787

Open LikhitaGanji opened 5 months ago

LikhitaGanji commented 5 months ago

We have detected that Logback uses a hardcoded password in the source code(ch/qos/logback/core/net/ssl/SSL.java). A hardcoded password is nothing but a plaintext password stored in the source code. Hardcoded password can be easily retrieved or manipulated through reverse engineering.

MASA-02

Creating this issue to check if it possible to not hardcode the password as plaintext or encrypt the password in the source code to avoid this vulnerability.

griffinjm commented 5 months ago

This is the default Java cacerts keystore file and password, it is well documented as the default password since at least Java 8. https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html