You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jspwiki.apache.org by "Ying Zhang (Jira)" <ji...@apache.org> on 2021/02/06 17:41:00 UTC

[jira] [Created] (JSPWIKI-1145) Weak one-way hash used

Ying Zhang created JSPWIKI-1145:
-----------------------------------

             Summary: Weak one-way hash used
                 Key: JSPWIKI-1145
                 URL: https://issues.apache.org/jira/browse/JSPWIKI-1145
             Project: JSPWiki
          Issue Type: Improvement
          Components: Authentication &amp; Authorization
            Reporter: Ying Zhang


In file jspwiki/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java, line 276, SHA is been used for hash text

*Security Impact:* 

The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.

*suggestions:*

[NIST|https://csrc.nist.gov/projects/hash-functions] recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256.

Useful link:

[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf]

[https://cwe.mitre.org/data/definitions/328.html]

[https://cwe.mitre.org/data/definitions/916.html]

 

*Please share with us your opinions/comments if there is any:*

Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)