You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Ying Zhang (Jira)" <ji...@apache.org> on 2021/02/06 17:41:00 UTC
[jira] [Created] (JSPWIKI-1145) Weak one-way hash used
Ying Zhang created JSPWIKI-1145:
-----------------------------------
Summary: Weak one-way hash used
Key: JSPWIKI-1145
URL: https://issues.apache.org/jira/browse/JSPWIKI-1145
Project: JSPWiki
Issue Type: Improvement
Components: Authentication & Authorization
Reporter: Ying Zhang
In file jspwiki/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java, line 276, SHA is been used for hash text
*Security Impact:*
The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.
*suggestions:*
[NIST|https://csrc.nist.gov/projects/hash-functions] recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256.
Useful link:
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf]
[https://cwe.mitre.org/data/definitions/328.html]
[https://cwe.mitre.org/data/definitions/916.html]
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)