[jira] [Updated] (JSPWIKI-1145) Weak one-way hash used

["ASF GitHub Bot (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/JSPWIKI-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

ASF GitHub Bot updated JSPWIKI-1145:
------------------------------------
    Labels: pull-request-available  (was: )

> Weak one-way hash used
> ----------------------
>
>                 Key: JSPWIKI-1145
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-1145
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication & Authorization
>            Reporter: Vicky Zhang
>            Priority: Major
>              Labels: pull-request-available
>
> In file jspwiki/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java, line 276, SHA is been used for hash text
> *Security Impact:* 
> The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.
> *suggestions:*
> [NIST|https://csrc.nist.gov/projects/hash-functions] recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256.
> Useful link:
> [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf]
> [https://cwe.mitre.org/data/definitions/328.html]
> [https://cwe.mitre.org/data/definitions/916.html]
>  
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)