CVE-2009-4269: Use of Password Hash With Insufficient Computational Effort in Apache Derby

May 2, 2022 (updated August 15, 2022)

The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.

References

db.apache.org/derby/releases/release-10.6.1.0.cgi
marc.info/?l=apache-db-general&m=127428514905504&w=1
www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
github.com/advisories/GHSA-fh32-35w2-rxcc
issues.apache.org/jira/browse/DERBY-4483
nvd.nist.gov/vuln/detail/CVE-2009-4269

Code Behaviors & Features

Detect and mitigate CVE-2009-4269 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →