fkie_cve-2009-4269
Vulnerability from fkie_nvd
Published
2010-08-16 20:00
Modified
2025-04-11 00:51
Severity ?
Summary
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:derby:*:*:*:*:*:*:*:*", matchCriteriaId: "BA90C098-3409-4D76-997B-46E690C1F10A", versionEndIncluding: "10.5.3.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.", }, { lang: "es", value: "El algoritmo de generación del hash de la contraseña en la funcionalidad autenticación BUILTIN de Apache Derby en versiones anteriores a la v10.6.1.0 realiza una transformación que reduce el tamaño del conjunto de entrada a SHA-1, lo que produce un espacio de búsqueda pequeño que facilita a usuarios locales y, posiblemente, remotos romper contraseñas generando colisiones de hash, relacionado con la substitución de contraseña.", }, ], evaluatorComment: "Per https://issues.apache.org/jira/browse/DERBY-4483, the reported version affected is 10.5.3.0. Unable to determine if affected versions exist between 10.5.3.0 and 10.6.1.0", id: "CVE-2009-4269", lastModified: "2025-04-11T00:51:21.963", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2010-08-16T20:00:01.183", references: [ { source: "secalert@redhat.com", url: "http://blogs.sun.com/kah/entry/derby_10_6_1_has", }, { source: "secalert@redhat.com", url: "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269", }, { source: "secalert@redhat.com", url: "http://marc.info/?l=apache-db-general&m=127428514905504&w=1", }, { source: "secalert@redhat.com", url: "http://marcellmajor.com/derbyhash.html", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/42948", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/42970", }, { source: "secalert@redhat.com", url: "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/42637", }, { source: "secalert@redhat.com", url: "http://www.securitytracker.com/id?1024977", }, { source: "secalert@redhat.com", url: "http://www.vupen.com/english/advisories/2011/0149", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://issues.apache.org/jira/browse/DERBY-4483", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://blogs.sun.com/kah/entry/derby_10_6_1_has", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://marc.info/?l=apache-db-general&m=127428514905504&w=1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://marcellmajor.com/derbyhash.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/42948", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/42970", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/42637", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id?1024977", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.vupen.com/english/advisories/2011/0149", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://issues.apache.org/jira/browse/DERBY-4483", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-310", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.