Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13N3FyLXE5ZmgtZmozNc4ABAJK
Dozzle uses unsafe hash for passwords
Summary
The app uses sha-256 as the hash for passwords. The app should switch to bcrypt.
Details
SHA-256 is a message digest hash, and not classified as secure for password hashing. Message digest hashes are designed to be fast, while password hashing mechanisms are designed with certain cryptographic properties (e.g. slow) to protect against vulnerabilities. Refer to the links below for more information:
- https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords
- https://stackoverflow.com/questions/11624372/best-practice-for-hashing-passwords-sha256-or-sha512
- https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwords-with-bcrypt
PoC
N/A
Impact
It leaves users susceptible to rainbow table attacks
Permalink: https://github.com/advisories/GHSA-w7qr-q9fh-fj35JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13N3FyLXE5ZmgtZmozNc4ABAJK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 6 days ago
Updated: 6 days ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-w7qr-q9fh-fj35, CVE-2024-47182
References:
- https://github.com/amir20/dozzle/security/advisories/GHSA-w7qr-q9fh-fj35
- https://nvd.nist.gov/vuln/detail/CVE-2024-47182
- https://github.com/amir20/dozzle/commit/de79f03aa3dbe5bb1e154a7e8d3dccbd229f3ea3
- https://pkg.go.dev/vuln/GO-2024-3163
- https://github.com/advisories/GHSA-w7qr-q9fh-fj35
Blast Radius: 1.0
Affected Packages
go:github.com/amir20/dozzle
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 8.5.3
Fixed in: 8.5.3
All affected versions: 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.11.8, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.15.6, 1.15.7, 1.15.8, 1.15.9, 1.16.0, 1.16.1, 1.16.2, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.20.0, 1.20.1, 1.20.2, 1.20.3, 1.20.4, 1.20.5, 1.20.6, 1.20.7, 1.20.8, 1.20.9, 1.20.10, 1.20.11, 1.20.12, 1.20.13, 1.20.14, 1.20.15, 1.20.16, 1.20.17, 1.20.18, 1.20.19, 1.20.20, 1.20.21, 1.21.0, 1.21.1, 1.21.2, 1.21.5, 1.21.6, 1.21.7, 1.21.8, 1.21.9, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.22.4, 1.22.5, 1.22.6, 1.22.7, 1.22.8, 1.23.0, 1.23.1, 1.23.2, 1.24.0, 1.24.1, 1.25.0, 1.25.1, 1.25.2, 1.25.3, 1.25.4, 1.25.5, 1.25.6, 1.26.0, 1.26.1, 1.26.2, 1.27.0, 1.27.1, 1.27.2, 1.27.3, 1.28.0, 1.29.0
All unaffected versions: