You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Juan Pablo Santos Rodríguez (Jira)" <ji...@apache.org> on 2021/04/24 09:56:00 UTC
[jira] [Resolved] (JSPWIKI-1145) Weak one-way hash used
[ https://issues.apache.org/jira/browse/JSPWIKI-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Juan Pablo Santos Rodríguez resolved JSPWIKI-1145.
--------------------------------------------------
Fix Version/s: 2.11.0
Resolution: Fixed
Merged [PR #51|https://github.com/apache/jspwiki/pull/51] in 2.11.0-git-05. Thanks go to [takalat|https://github.com/takalat], [samhareem|https://github.com/samhareem]!
> Weak one-way hash used
> ----------------------
>
> Key: JSPWIKI-1145
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1145
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication & Authorization
> Reporter: Vicky Zhang
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.11.0
>
>
> In file jspwiki/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java, line 276, SHA is been used for hash text
> *Security Impact:*
> The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.
> *suggestions:*
> [NIST|https://csrc.nist.gov/projects/hash-functions] recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256.
> Useful link:
> [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf]
> [https://cwe.mitre.org/data/definitions/328.html]
> [https://cwe.mitre.org/data/definitions/916.html]
>
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)