Ying Zhang created JSPWIKI-1145:
-----------------------------------
Summary: Weak one-way hash used
Key: JSPWIKI-1145
URL: https://issues.apache.org/jira/browse/JSPWIKI-1145
Project: JSPWiki
Issue Type: Improvement
Components: Authentication & Authorization
Reporter: Ying Zhang
In file
jspwiki/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java,
line 276, SHA is been used for hash text
*Security Impact:*
The product uses a hashing algorithm that produces a hash value that can be
used to determine the original input, or to find an input that can produce the
same hash, more efficiently than brute force techniques.
*suggestions:*
[NIST|https://csrc.nist.gov/projects/hash-functions] recommends the use of
SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256.
Useful link:
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf]
[https://cwe.mitre.org/data/definitions/328.html]
[https://cwe.mitre.org/data/definitions/916.html]
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
