Marcell Major

**Name of the Vulnerable Software and Affected Versions** Apache Derby versions prior to 10.6.1.0 **Description** The issue concerns the password hash generation algorithm in the BUILTIN authentication functionality. It performs a transformation that reduces the size of the set of inputs to SHA-1, resulting in a small search space. This makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution. **Recommendations** For versions prior to 10.6.1.0, update to version 10.6.1.0 or later to resolve the issue.