NShiftKey

• Use of vulnerable crypto algorithm

  • Description : If the SHA1 hash function with low security is used, it is vulnerable because attacker can decrypt it.
  • Countermeasure : Use secure encryption algorithm. See link below for details. https://naver-security.github.io/nshiftkey-rule-guides/Weak_Hash_used_-_SHA1_eng
    • Target Code : Accenture-mercury-nodejs/dist/system/rest-automation.js [view change history] [ignore this]
      

      Accenture-mercury-nodejs/dist/system/rest-automation.js

      Lines 791 to 793 in aa6b397

      	if (content) {
      	const sha1 = crypto.createHash('sha1');
      	sha1.update(content);

      
        

• Potential SQL Injection

  • Description : If SQL statements are created and used using unverified input values, internal DB data can be leaked or altered.
  • Countermeasure : Verify the input values and use Stored Procedure. See the link below for more information. https://naver-security.github.io/nshiftkey-rule-guides/SQLi_-_SQL_Injection_eng
    • Target Code : Accenture-mercury-nodejs/docs/search/search_index.json [view change history] [ignore this]
      https://github.com/2lambda123/Accenture-mercury-nodejs/blob/aa6b3971b2d6eba1056aba3902e96737f36338ef/docs/search/search_index.json#L386-L388