Vulnerability Details : CVE-2009-4269
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.
Exploit prediction scoring system (EPSS) score for CVE-2009-4269
Probability of exploitation activity in the next 30 days: 0.15%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 51 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-4269
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2009-4269
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-4269
-
http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269
Apache Derby 10.6.1.0 Release
-
http://www.securitytracker.com/id?1024977
Oracle Industry Applications Bugs Let Remote Users Partially Deny Service, Access Data, and Modify Data - SecurityTracker
-
https://issues.apache.org/jira/browse/DERBY-4483
[DERBY-4483] Provide a way to change the hash algorithm used by BUILTIN authentication - ASF JIRAVendor Advisory
-
http://www.vupen.com/english/advisories/2011/0149
-
http://marc.info/?l=apache-db-general&m=127428514905504&w=1
'[ANNOUNCE] Apache Derby 10.6.1.0 released' - MARC
-
http://blogs.sun.com/kah/entry/derby_10_6_1_has
-
http://www.securityfocus.com/bid/42637
-
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
Oracle Critical Patch Update - January 2011
-
http://marcellmajor.com/derbyhash.html
Products affected by CVE-2009-4269
- cpe:2.3:a:apache:derby:*:*:*:*:*:*:*:*