CVE-2009-4269 - OpenCVE

The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Derby

Configuration 1 [-]

cpe:2.3:a:apache:derby:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://blogs.sun.com/kah/entry/derby_10_6_1_has
http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269
http://marc.info/?l=apache-db-general&m=127428514905504&w=1
http://marcellmajor.com/derbyhash.html
http://secunia.com/advisories/42948
http://secunia.com/advisories/42970
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://www.securityfocus.com/bid/42637
http://www.securitytracker.com/id?1024977
http://www.vupen.com/english/advisories/2011/0149
https://issues.apache.org/jira/browse/DERBY-4483

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2010-08-16T19:00:00

Updated: 2024-08-07T06:54:10.308Z

Reserved: 2009-12-10T00:00:00

Link: CVE-2009-4269

Vulnrichment

No data.

NVD

Status : Modified

Published: 2010-08-16T20:00:01.183

Modified: 2011-01-26T06:41:50.127

Link: CVE-2009-4269

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-05-19T00:00:00", "descriptions": [{"lang": "en", "value": "The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2011-01-22T10:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[apache-db-general] 20100519 [ANNOUNCE] Apache Derby 10.6.1.0 released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://marc.info/?l=apache-db-general&m=127428514905504&w=1"}, {"name": "42948", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/42948"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.apache.org/jira/browse/DERBY-4483"}, {"tags": ["x_refsource_MISC"], "url": "http://blogs.sun.com/kah/entry/derby_10_6_1_has"}, {"name": "ADV-2011-0149", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2011/0149"}, {"name": "42970", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/42970"}, {"tags": ["x_refsource_MISC"], "url": "http://marcellmajor.com/derbyhash.html"}, {"name": "1024977", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1024977"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269"}, {"name": "42637", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/42637"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2009-4269", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[apache-db-general] 20100519 [ANNOUNCE] Apache Derby 10.6.1.0 released", "refsource": "MLIST", "url": "http://marc.info/?l=apache-db-general&m=127428514905504&w=1"}, {"name": "42948", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/42948"}, {"name": "https://issues.apache.org/jira/browse/DERBY-4483", "refsource": "CONFIRM", "url": "https://issues.apache.org/jira/browse/DERBY-4483"}, {"name": "http://blogs.sun.com/kah/entry/derby_10_6_1_has", "refsource": "MISC", "url": "http://blogs.sun.com/kah/entry/derby_10_6_1_has"}, {"name": "ADV-2011-0149", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2011/0149"}, {"name": "42970", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/42970"}, {"name": "http://marcellmajor.com/derbyhash.html", "refsource": "MISC", "url": "http://marcellmajor.com/derbyhash.html"}, {"name": "1024977", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1024977"}, {"name": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269", "refsource": "CONFIRM", "url": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269"}, {"name": "42637", "refsource": "BID", "url": "http://www.securityfocus.com/bid/42637"}, {"name": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T06:54:10.308Z"}, "title": "CVE Program Container", "references": [{"name": "[apache-db-general] 20100519 [ANNOUNCE] Apache Derby 10.6.1.0 released", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://marc.info/?l=apache-db-general&m=127428514905504&w=1"}, {"name": "42948", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/42948"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.apache.org/jira/browse/DERBY-4483"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blogs.sun.com/kah/entry/derby_10_6_1_has"}, {"name": "ADV-2011-0149", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2011/0149"}, {"name": "42970", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/42970"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://marcellmajor.com/derbyhash.html"}, {"name": "1024977", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1024977"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269"}, {"name": "42637", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/42637"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2009-4269", "datePublished": "2010-08-16T19:00:00", "dateReserved": "2009-12-10T00:00:00", "dateUpdated": "2024-08-07T06:54:10.308Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:derby:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA90C098-3409-4D76-997B-46E690C1F10A", "versionEndIncluding": "10.5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution."}, {"lang": "es", "value": "El algoritmo de generaci\u00f3n del hash de la contrase\u00f1a en la funcionalidad autenticaci\u00f3n BUILTIN de Apache Derby en versiones anteriores a la v10.6.1.0 realiza una transformaci\u00f3n que reduce el tama\u00f1o del conjunto de entrada a SHA-1, lo que produce un espacio de b\u00fasqueda peque\u00f1o que facilita a usuarios locales y, posiblemente, remotos romper contrase\u00f1as generando colisiones de hash, relacionado con la substituci\u00f3n de contrase\u00f1a."}], "evaluatorComment": "Per https://issues.apache.org/jira/browse/DERBY-4483, the reported version affected is 10.5.3.0. Unable to determine if affected versions exist between 10.5.3.0 and 10.6.1.0", "id": "CVE-2009-4269", "lastModified": "2011-01-26T06:41:50.127", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2010-08-16T20:00:01.183", "references": [{"source": "secalert@redhat.com", "url": "http://blogs.sun.com/kah/entry/derby_10_6_1_has"}, {"source": "secalert@redhat.com", "url": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269"}, {"source": "secalert@redhat.com", "url": "http://marc.info/?l=apache-db-general&m=127428514905504&w=1"}, {"source": "secalert@redhat.com", "url": "http://marcellmajor.com/derbyhash.html"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/42948"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/42970"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/42637"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id?1024977"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2011/0149"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/DERBY-4483"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}