Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc2MzYtcTVmYy00cHI3
accounts: Hash account number using Salt
@alovak found that currently when we build hash of account number we do not "salt" it. Which makes it vulnerable to rainbow table attack.
What did you expect to see?
I expected salt (some random number from configuration) to be used in hash.AccountNumber
I would generate salt per tenant at least (maybe per organization).
Permalink: https://github.com/advisories/GHSA-g636-q5fc-4pr7JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc2MzYtcTVmYy00cHI3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-g636-q5fc-4pr7
References:
- https://github.com/moov-io/customers/security/advisories/GHSA-g636-q5fc-4pr7
- https://github.com/advisories/GHSA-g636-q5fc-4pr7
Blast Radius: 0.0
Affected Packages
go:github.com/moov-io/customers
Dependent packages: 9Dependent repositories: 2
Downloads:
Affected Version Ranges: < 0.5.0
Fixed in: 0.5.0
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.4.0, 0.4.1
All unaffected versions: 0.5.0, 0.5.1, 0.5.2