*SUID-ID's are referencing security issues and bad practices that are not neccessarly exploitable but still might cause issues in certain scenarios.

Description

The mixnet-spring component uses hardcoded passwords for certificates: evoting-solution/source-code/online-voting-mixing/mixnet- spring/src/main/java/com/scytl/products/ov/mixnet/spring/MixingSecureLoggerConfig.java

private static final String CIPHER_PKCS12_PSWD = "649VRY52GXXCNJH48X5F";

private static final String SIGNATURE_PKCS12_PSWD = "GXXCNJH48X5F649VRY52";

These hardcoded values will be later used in the same file:

secureAppender.setCipherPkcs12FileName(CIPHER_PKCS12_CERTIFICATE);
            secureAppender.setCipherPkcs12Password(CIPHER_PKCS12_PSWD);
            secureAppender.setSignaturePkcs12FileName(SIGNATURE_PKCS12_CERTIFICATE);
            secureAppender.setSignaturePkcs12Password(SIGNATURE_PKCS12_PSWD);

Since the mixnet-spring library isn't intended for the "high-trust" environments they might not be directly attackable.
Further iterations however might reuse code or implement unsafe coding practices which render the vulnerability exploitable.

Timeline

Credits