We are getting these issue from VAPT.
Using implementation 'com.salesforce.marketingcloud:marketingcloudsdk:8.0.9'
1:
App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database. com/salesforce/marketingdoud/storage/b/java com/salesforce/marketingdoud/storage/db/b java
2:
The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks. high CWE: CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-3 com/salesforce/marketingcloud/tozny/ AesCbcWithIntegrity.java
3:
"""SHA-1 is a weak hash known to have hash collisions com/salesforce/marketingcloud/sfmcsdk/components/encryption/Encryptor.java com/salesforce/marketingcloud/sfmcsdk/components/encryption/SalesforceKeyGenerator.ja"""
4:
Files may contain hardcoded sensitive information like usernames, passwords, keys etc. warning CWE: CWE-312: Cleartext Storage of Sensitive Information OWASP Top 10: M9: Reverse Engineering OWASP MASVS: MSTG-STORAGE-14 Show Files com/salesforce/marketingcloud/events/g.java com/salesforce/marketingcloud/events/h.java com/salesforce/marketingcloud/registration/Registration.java
Are these fixed already in any release or is there any plan to fix these in upcoming releases ? Any solution would be appreciated here.
