Description
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.
References (11)
Core 11
Core References
Various Sources x_refsource_misc
http://blogs.sun.com/kah/entry/derby_10_6_1_has
Various Sources x_refsource_misc
http://marcellmajor.com/derbyhash.html
Release Notes x_refsource_confirm
http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269
Mailing List mailing-list
x_refsource_mlist
http://marc.info/?l=apache-db-general&m=127428514905504&w=1
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/42948
Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/DERBY-4483
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0149
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/42970
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1024977
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/42637
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
Scores
EPSS
0.0143
EPSS Percentile
70.0%
Details
CWE
CWE-310
Status
published
Products (2)
apache/derby
< 10.5.3.0
org.apache.derby/derby
0 - 10.6.1.0Maven
Published
Aug 16, 2010
Tracked Since
Feb 18, 2026