Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

同学,您这个项目引入了122个开源组件,存在1个漏洞,辛苦升级一下 #6

Closed
ghost opened this issue Mar 9, 2022 · 1 comment

Comments

@ghost
Copy link

ghost commented Mar 9, 2022

检测到 yangzongzhuan/RuoYi-fast 一共引入了122个开源组件,存在1个漏洞

漏洞标题:kaptcha 安全漏洞
缺陷组件:com.github.penggle:kaptcha@2.3.2
漏洞编号:CVE-2018-18531
漏洞描述:kaptcha是一款基于SimpleCaptcha的验证码生成工具。
kaptcha 2.3.2版本中的多个文件存在安全漏洞,该漏洞源于程序使用‘Random’函数(而不是‘SecureRandom’函数)创建CAPTCHA值。远程攻击者可借助暴力破解的方法利用该漏洞绕过访问限制。(多个文件包括:text/impl/DefaultTextCreator.java、text/impl/ChineseTextProducer.java和text/impl/FiveLetterFirstNameTextCreator.java)
国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2018-21509
影响范围:[0, ∞)
最小修复版本:
缺陷组件引入路径:com.ruoyi:ruoyi@4.7.3->com.github.penggle:kaptcha@2.3.2

另外还有几个漏洞,详细报告:https://mofeisec.com/jr?p=i880ba

@yangzongzhuan
Copy link
Owner

这个漏洞没有什么影响,谷歌验证码貌似是没有维护了,有需要可以自己先更换一下。
更换成 EasyCaptcha https://www.toutiao.com/i7064453150127686156
更换成 aj-captcha http://doc.ruoyi.vip/ruoyi/document/cjjc.html#集成aj-captcha实现滑块验证码

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@yangzongzhuan and others