[security-dev] updateCredential will leak

Bill Burke bburke at redhat.com
Sun Aug 11 08:58:05 EDT 2013


updateCredential doesn't update the old one, it creates a new one.  The 
only reason this works is because the password handler query for the 
most current credential.  (Same as TOTP).

This will be a storage leak over time as passwords are reset and tokens 
added/created.

https://issues.jboss.org/browse/PLINK-238


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the security-dev mailing list