Description

The low complexity of the hashes stored in the database considerably reduces the amount of time required to crack them.

Impact

Unauthorized access, or even the insufficient data validation can make the system vulnerable.

Recommendation

Ensure that functions of password summary have a minimum size of 256 bits.

Threat

Authenticated attacker from Internet with access to the hashes.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

• Attack vector: A
• Attack complexity: L
• Privileges required: L
• User interaction: N
• Scope: U
• Confidentiality: L
• Integrity: N
• Availability: N

Temporal

• Exploit code maturity: X
• Remediation level: O
• Report confidence: X

Result

• Vector string: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:X
• Score:
• Base: 3.5
• Temporal: 3.4
• Severity:
• Base: Low
• Temporal: Low

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: A
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Result 4.0

• Vector string: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X
• Score:
• CVSS-BT: 5.1
• Severity:
• CVSS-BT: Medium

Requirements

• 134.Store passwords with salt
• 135.Passwords with random salt
• 150.Set minimum size for hash functions

Fixes

• Java
• Elixir
• C-Sharp
• Go
• Ruby
• PHP
• Scala
• Python
• TypeScript

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.