Vulnerability
|
static String sha256Sum(byte[] input) { |
|
MessageDigest digest = MessageDigest.getInstance('SHA-256') |
|
digest.update(input) |
|
new BigInteger(1,digest.digest()).toString(16).padLeft(32, '0') |
|
} |
padLeft(32, '0') should be padLeft(64, '0'). SHA-256 produces 32 bytes = 64 hex characters.
Impact
- Inconsistent hash lengths when leading bytes are zero
- Comparison failures for hashes with leading zeros
- Potential security issues in hash-based comparisons
- Could cause subtle bugs in systems relying on consistent hash lengths
Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high.
Patches
Upgrade to Jervis 2.2.
Workarounds
Use an alternate SHA-256 hash function or upgrade.
Vulnerability
jervis/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy
Lines 622 to 626 in 157d2b6
padLeft(32, '0')should bepadLeft(64, '0'). SHA-256 produces 32 bytes = 64 hex characters.Impact
Severity is considered low for internal uses of this library but if there's any consumer using these methods directly then this is considered high.
Patches
Upgrade to Jervis 2.2.
Workarounds
Use an alternate SHA-256 hash function or upgrade.