[JSPWIKI-1145] Weak one-way hash used - ASF JIRA

Bulk Copy Attachments

Bulk Move Attachments

Voters

Watch issue

Watchers

Convert to sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.11.0
Component/s: Authentication & Authorization
Labels:
- pull-request-available

Description

In file jspwiki/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java, line 276, SHA is been used for hash text

Security Impact:

The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.

suggestions:

NIST recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256.

Useful link:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf

https://cwe.mitre.org/data/definitions/328.html

https://cwe.mitre.org/data/definitions/916.html

Please share with us your opinions/comments if there is any:

Is the bug report helpful?

Attachments

Issue Links

Add Link

links to

GitHub Pull Request #51

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Unassigned

Reporter:: Vicky Zhang

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/Feb/21 17:40

Updated:: 23/Nov/21 11:17

Resolved:: 24/Apr/21 09:55

Agile

View on Board

Weak one-way hash used