GHSA-w7qr-q9fh-fj35

Suggest an improvement
Source
https://github.com/advisories/GHSA-w7qr-q9fh-fj35
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-w7qr-q9fh-fj35/GHSA-w7qr-q9fh-fj35.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w7qr-q9fh-fj35
Aliases
Published
2024-10-09T21:46:22Z
Modified
2024-10-09T21:46:22Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
  • 1.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Dozzle uses unsafe hash for passwords
Details

Summary

The app uses sha-256 as the hash for passwords. The app should switch to bcrypt.

Details

SHA-256 is a message digest hash, and not classified as secure for password hashing. Message digest hashes are designed to be fast, while password hashing mechanisms are designed with certain cryptographic properties (e.g. slow) to protect against vulnerabilities. Refer to the links below for more information: - https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords - https://stackoverflow.com/questions/11624372/best-practice-for-hashing-passwords-sha256-or-sha512 - https://cheatsheetseries.owasp.org/cheatsheets/PasswordStorageCheat_Sheet.html#pre-hashing-passwords-with-bcrypt

PoC

N/A

Impact

It leaves users susceptible to rainbow table attacks

Database specific
{
    "nvd_published_at": "2024-09-27T14:15:04Z",
    "cwe_ids": [
        "CWE-326",
        "CWE-328"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-09T21:46:22Z"
}
References

Affected packages

Go / github.com/amir20/dozzle

Package

Name
github.com/amir20/dozzle
View open source insights on deps.dev
Purl
pkg:golang/github.com/amir20/dozzle

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.5.3