Lucene search

K
ubuntucveUbuntu.comUB:CVE-2009-4269
HistoryAug 16, 2010 - 12:00 a.m.

CVE-2009-4269

2010-08-1600:00:00
ubuntu.com
ubuntu.com
14
apache derby
password hash
sha-1
attack
vulnerability

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.002

Percentile

51.8%

The password hash generation algorithm in the BUILTIN authentication
functionality for Apache Derby before 10.6.1.0 performs a transformation
that reduces the size of the set of inputs to SHA-1, which produces a small
search space that makes it easier for local and possibly remote attackers
to crack passwords by generating hash collisions, related to password
substitution.

Notes

Author Note
ebarretto ignoring this CVE for esm-apps/xenial because we don’t have plans to fix this.

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.002

Percentile

51.8%