CWE Vulnerabilities in Couchbase SDK 2.7.26


We’re currently using Couchbase to manage transient information related to a large number of users across several applications. We’ve been doing this successfully for several years in our .Net Remoting applications.

However, we need to apply the same logic to our ASP.Net applications. Unfortunately our vulnerability scanning software (Veracode) has highlighted an number of CWE vlnerabilities with the Couchbase 2.7.26 client component.

CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-331: Insufficient Entropy
CWE-918: Server-Side Request Forgery (SSRF)

Has anyone come across this before? Is it a known issue?