Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove unsafe/deprecated Encryptors.querableText(CharSequence,CharSequence) #8980

Closed
paruss opened this issue Aug 24, 2020 · 2 comments
Closed

Remove unsafe/deprecated Encryptors.querableText(CharSequence,CharSequence) #8980

paruss opened this issue Aug 24, 2020 · 2 comments
Assignees
@rwinch
Labels
in: crypto An issue in spring-security-crypto type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Milestone
6.0.0-M7

Comments

@paruss
Copy link

paruss commented Aug 24, 2020

The method is deprecated as a result of issue: CVE-2020-5408. The solution was to deprecate this method. This does not satisfy code analyzers such as Fortify as it could potentially still be used.

I would suggest this method be removed as should not be used anyway.

Method in question:
org.springframework.security.crypto.encrypt#queryableText(CharSequence password, CharSequence salt)
@paruss paruss added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Aug 24, 2020
@jzheaux jzheaux added in: crypto An issue in spring-security-crypto and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 25, 2020
@jzheaux jzheaux added this to the 6.x milestone Aug 25, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Aug 25, 2020

Thanks for the report, @paruss. Let's take a look at doing this in the 6.x line.

Since the suggested upgrade is not a simple change, removing the method altogether in a minor release may keep organizations on older versions with other problems.

@paruss
Copy link
Author

paruss commented Aug 27, 2020

Thanks for the comment and excellent point around minor releases.

@rwinch rwinch added the type: breaks-passivity A change that breaks passivity with the previous release label Jun 13, 2022
@rwinch rwinch self-assigned this Jun 14, 2022
@aikebah aikebah mentioned this issue Jun 18, 2022
Closed
@rwinch rwinch changed the title Remove deprecated queryableText as contains known vulnerability Remove unsafe/deprecated Encryptors.querableText(CharSequence,CharSequence) Sep 7, 2022
@rwinch rwinch modified the milestones: 6.0.x, 6.0.0-M7 Sep 7, 2022
@rwinch rwinch closed this as completed in d996c2a Sep 7, 2022
@rwinch rwinch moved this to Done in Spring Security Team Sep 7, 2022
jzheaux added a commit that referenced this issue Nov 8, 2022
@jzheaux
Add Encryptors Preparation Steps
079bb45 
Issue gh-8980
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: crypto An issue in spring-security-crypto type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
6.0.0-M7
Development

No branches or pull requests
3 participants
@rwinch @paruss @jzheaux