High security alert found in jscep lib #304
Comments
|
The alert probably refers to the use of DES/3DES, that is kept for backward-compatibility purposes: JSCEP supports perfectly well AES. But since SCEP clients might be outdated, support for DES/3DES is needed in order to keep interoperability. |
|
A little bit different, but vulnerability scanners report jscep as vulnerable with high severity due to 
|
|
All dependencies have now been updated to latest. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We analyzed the android apk with Mobsf security tool and find the below.
CWE: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10: M5: Insufficient Cryptography
OWASP MASVS: MSTG-CRYPTO-4
Code:org/jscep/message/PkcsPkiEnvelopeDecoder.java
CWE: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10: M5: Insufficient Cryptography
OWASP MASVS: MSTG-CRYPTO-4
Code: org/jscep/message/PkcsPkiEnvelopeDecoder.java
Kindly let me know if you need any other details.
Best Regards,
Vasanth.
The text was updated successfully, but these errors were encountered: