CVE-2009-4269

CWE-310 CWE-9166 documents5 sources

Severity

2.1LOW

EPSS

0.8%

top 26.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Derby

Timeline

PublishedAug 16

Latest updateMay 2

Description

The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages2 packages

▶Mavenorg.apache.derby:derby< 10.6.1.0

▶NVDapache/derby10.5.3.0

🔴Vulnerability Details

OSV

Use of Password Hash With Insufficient Computational Effort in Apache Derby↗2022-05-02

▶

GHSA

Use of Password Hash With Insufficient Computational Effort in Apache Derby↗2022-05-02

▶

CVEList

CVE-2009-4269: The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10↗2010-08-16

▶

OSV

CVE-2009-4269: The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10↗2010-08-16

▶

📋Vendor Advisories

Debian

CVE-2009-4269: derby - The password hash generation algorithm in the BUILTIN authentication functionali...↗2009

▶