GHSA-w7qr-q9fh-fj35
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w7qr-q9fh-fj35
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-w7qr-q9fh-fj35/GHSA-w7qr-q9fh-fj35.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w7qr-q9fh-fj35
- Aliases
- Published
- 2024-10-09T21:46:22Z
- Modified
- 2024-10-09T21:46:22Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- 1.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Dozzle uses unsafe hash for passwords
- Details
-
Summary
The app uses sha-256 as the hash for passwords. The app should switch to bcrypt.
Details
SHA-256 is a message digest hash, and not classified as secure for password hashing. Message digest hashes are designed to be fast, while password hashing mechanisms are designed with certain cryptographic properties (e.g. slow) to protect against vulnerabilities. Refer to the links below for more information: - https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords - https://stackoverflow.com/questions/11624372/best-practice-for-hashing-passwords-sha256-or-sha512 - https://cheatsheetseries.owasp.org/cheatsheets/PasswordStorageCheat_Sheet.html#pre-hashing-passwords-with-bcrypt
PoC
N/A
Impact
It leaves users susceptible to rainbow table attacks
- References
Affected packages
Go / github.com/amir20/dozzle
Package
- Name
- github.com/amir20/dozzle
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/amir20/dozzle