Weak Password Hashing in Apache Derby Database by Apache
CVE-2009-4269

Currently unrated

Key Information:

Vendor: Apache
Status: Derby
Vendor: CVE Published:; 16 August 2010

Summary

Apache Derby prior to version 10.6.1.0 contains a vulnerability in its BUILTIN authentication mechanism. The password hash generation algorithm utilized by the system reduces the input size for the SHA-1 hashing process, leading to a restricted search space. This design flaw potentially allows attackers—both local and remote—to exploit the system by generating hash collisions. Consequently, it could enable unauthorized access through the effective cracking of passwords, particularly through password substitution techniques.

References

http://marc.info/?l=apache-db-general&m=127428514905504&w=1

mailing-listx_refsource_MLIST

http://secunia.com/advisories/42948

third-party-advisoryx_refsource_SECUNIA

https://issues.apache.org/jira/browse/DERBY-4483

x_refsource_CONFIRM

Timeline

Vulnerability published
Aug 16, 2010
Vulnerability Reserved
Dec 10, 2009