[
https://issues.apache.org/jira/browse/JSPWIKI-1145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Juan Pablo Santos Rodríguez resolved JSPWIKI-1145.
--------------------------------------------------
Fix Version/s: 2.11.0
Resolution: Fixed
Merged [PR #51|https://github.com/apache/jspwiki/pull/51] in 2.11.0-git-05.
Thanks go to [takalat|https://github.com/takalat],
[samhareem|https://github.com/samhareem]!
> Weak one-way hash used
> ----------------------
>
> Key: JSPWIKI-1145
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1145
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication & Authorization
> Reporter: Vicky Zhang
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.11.0
>
>
> In file
> jspwiki/jspwiki-main/src/main/java/org/apache/wiki/auth/user/AbstractUserDatabase.java,
> line 276, SHA is been used for hash text
> *Security Impact:*
> The product uses a hashing algorithm that produces a hash value that can be
> used to determine the original input, or to find an input that can produce
> the same hash, more efficiently than brute force techniques.
> *suggestions:*
> [NIST|https://csrc.nist.gov/projects/hash-functions] recommends the use of
> SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256.
> Useful link:
> [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf]
> [https://cwe.mitre.org/data/definitions/328.html]
> [https://cwe.mitre.org/data/definitions/916.html]
>
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
