Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: 9.4
-
Component/s: Authentication & Authorization
-
Labels:
-
Edition:Community
-
Production Notes:None
Description
SHA1 was used to hash passwords in SonarQube. It has been replaced by bcrypt in 2018 and PBDKF2 in 2021.
We kept the SHA1 implementation for compatibility, allowing users to log-in with their password (tested against the SHA1 hashed version), and update the hashed password with the new algorithm, allowing a smooth and transparent transition.
To reduce the surface of the attack on SonarQube, we now want to drop and remove this possibility. Users who did not log in since 2018 will have to ask an administrator to reset their password.
- Users impacted won't be able to log in anymore. A SonarQube admin need to reset their password
- Upgrade Notes: mention that local users who did not log in since SonarQube 7.2 have their password deactivated, a SonarQube admin need to reset their password
- Database Migration: list all users that use a removed hash algorithm, log it as a warning in the migration logs
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
-
- Closed
-
