GHSA-w7qr-q9fh-fj35: Weak Encryption
First published: Wed Oct 09 2024(Updated: )
### Summary The app uses sha-256 as the hash for passwords. The app should switch to bcrypt. ### Details SHA-256 is a message digest hash, and not classified as secure for password hashing. Message digest hashes are designed to be fast, while password hashing mechanisms are designed with certain cryptographic properties (e.g. slow) to protect against vulnerabilities. Refer to the links below for more information: - https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords - https://stackoverflow.com/questions/11624372/best-practice-for-hashing-passwords-sha256-or-sha512 - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwords-with-bcrypt ### PoC N/A ### Impact It leaves users susceptible to rainbow table attacks
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/amir20/dozzle | <8.5.3 | 8.5.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-w7qr-q9fh-fj35
- alias/CVE-2024-47182
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/description
- agent/softwarecombine
- agent/first-publish-date
- agent/event
- agent/type
- agent/tags
- agent/trending
- package-manager/go