CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
51.8%
The password hash generation algorithm in the BUILTIN authentication
functionality for Apache Derby before 10.6.1.0 performs a transformation
that reduces the size of the set of inputs to SHA-1, which produces a small
search space that makes it easier for local and possibly remote attackers
to crack passwords by generating hash collisions, related to password
substitution.
Author | Note |
---|---|
ebarretto | ignoring this CVE for esm-apps/xenial because we don’t have plans to fix this. |