CVE-2009-4269

Apache Derby <10.6.1.0 - Password Cracking

Title source: llm
STIX 2.1

Description

The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.

References (11)

Core 11
Core References
Various Sources x_refsource_misc
http://blogs.sun.com/kah/entry/derby_10_6_1_has
Various Sources x_refsource_misc
http://marcellmajor.com/derbyhash.html
Mailing List mailing-list x_refsource_mlist
http://marc.info/?l=apache-db-general&m=127428514905504&w=1
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42948
Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/DERBY-4483
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0149
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42970
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1024977
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/42637

Scores

EPSS 0.0143
EPSS Percentile 70.0%

Details

CWE
CWE-310
Status published
Products (2)
apache/derby < 10.5.3.0
org.apache.derby/derby 0 - 10.6.1.0Maven
Published Aug 16, 2010
Tracked Since Feb 18, 2026