Bug 63953

Summary: Security : Fortify Privacy Violation
Product: POI Reporter: Sreekanth Basani <sreekanthbasani>
Component: POI OverallAssignee: POI Developers List <dev>
Status: RESOLVED INVALID    
Severity: critical    
Priority: P2    
Version: 4.1.1-FINAL   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Sreekanth Basani 2019-11-22 13:54:16 UTC
Fortify Report on POI source code identifies the following vulnerability:

Category: Privacy Violation (Security Features, Data Flow)

Description: The method write() in XOREncryptionVerifier.java mishandles confidential information, which can compromise user privacy and is often illegal.

    @Override
    public void write(LittleEndianByteArrayOutputStream bos) {
        bos.write(getEncryptedKey());
        bos.write(getEncryptedVerifier());
    }
Comment 1 Andreas Beeker 2019-11-22 14:07:08 UTC
Reading/writing the encrypted key / verifier is in the spec, i.e. it's part of the file format.

see https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/06494548-8c5c-4697-bce1-e2a9fe1c4de4