[jira] [Resolved] (JSPWIKI-1145) Weak one-way hash used

["Juan Pablo Santos Rodríguez (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/JSPWIKI-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Juan Pablo Santos Rodríguez resolved JSPWIKI-1145.
--------------------------------------------------
    Fix Version/s: 2.11.0
       Resolution: Fixed

Merged [PR #51|https://github.com/apache/jspwiki/pull/51] in 2.11.0-git-05. Thanks go to [takalat|https://github.com/takalat], [samhareem|https://github.com/samhareem]!

> Weak one-way hash used
> ----------------------
>
>                 Key: JSPWIKI-1145
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-1145
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication & Authorization
>            Reporter: Vicky Zhang
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.11.0
>
>
> In file jspwiki/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java, line 276, SHA is been used for hash text
> *Security Impact:* 
> The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.
> *suggestions:*
> [NIST|https://csrc.nist.gov/projects/hash-functions] recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256.
> Useful link:
> [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf]
> [https://cwe.mitre.org/data/definitions/328.html]
> [https://cwe.mitre.org/data/definitions/916.html]
>  
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)