[security-dev] updateCredential will leak
Bill Burke
bburke at redhat.com
Sun Aug 11 08:58:05 EDT 2013
updateCredential doesn't update the old one, it creates a new one. The
only reason this works is because the password handler query for the
most current credential. (Same as TOTP).
This will be a storage leak over time as passwords are reset and tokens
added/created.
https://issues.jboss.org/browse/PLINK-238
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list