CVE-2024-47182 – github.com/amir20/dozzle

Package

Manager: go
Name: github.com/amir20/dozzle
Vulnerable Version: >=0 <8.5.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

EPSS: 0.00075 pctl0.2328

Details

Dozzle uses unsafe hash for passwords ### Summary The app uses sha-256 as the hash for passwords. The app should switch to bcrypt. ### Details SHA-256 is a message digest hash, and not classified as secure for password hashing. Message digest hashes are designed to be fast, while password hashing mechanisms are designed with certain cryptographic properties (e.g. slow) to protect against vulnerabilities. Refer to the links below for more information: - https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords - https://stackoverflow.com/questions/11624372/best-practice-for-hashing-passwords-sha256-or-sha512 - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwords-with-bcrypt ### PoC N/A ### Impact It leaves users susceptible to rainbow table attacks

Metadata

Created: 2024-10-09T21:46:22Z
Modified: 2024-10-09T21:46:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-w7qr-q9fh-fj35/GHSA-w7qr-q9fh-fj35.json
CWE IDs: ["CWE-326", "CWE-328"]
Alternative ID: GHSA-w7qr-q9fh-fj35
Finding: F052
Auto approve: 1