CVE-2009-4269

Severity Score

2.1

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.

El algoritmo de generación del hash de la contraseña en la funcionalidad autenticación BUILTIN de Apache Derby en versiones anteriores a la v10.6.1.0 realiza una transformación que reduce el tamaño del conjunto de entrada a SHA-1, lo que produce un espacio de búsqueda pequeño que facilita a usuarios locales y, posiblemente, remotos romper contraseñas generando colisiones de hash, relacionado con la substitución de contraseña.

*Credits: N/A

CVSS Scores

NISTv2 2.1

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-12-10 CVE Reserved
2010-08-16 CVE Published
2023-07-15 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-310: Cryptographic Issues

CAPEC

References (11)

URL	Tag	Source
http://blogs.sun.com/kah/entry/derby_10_6_1_has	X_refsource_misc
http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269	X_refsource_confirm
http://marc.info/?l=apache-db-general&m=127428514905504&w=1	Mailing List
http://marcellmajor.com/derbyhash.html	X_refsource_misc
http://secunia.com/advisories/42948	Third Party Advisory
http://secunia.com/advisories/42970	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html	X_refsource_confirm
http://www.securityfocus.com/bid/42637	Vdb Entry
http://www.securitytracker.com/id?1024977	Vdb Entry
http://www.vupen.com/english/advisories/2011/0149	Vdb Entry

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://issues.apache.org/jira/browse/DERBY-4483	2011-01-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Derby Search vendor "Apache" for product "Derby"				<= 10.5.3.0 Search vendor "Apache" for product "Derby" and version " <= 10.5.3.0"		-		Affected