CWE-1391
Allowed-with-ReviewUse of Weak Credentials
Abstraction: Class · Status: Incomplete
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
98 vulnerabilities reference this CWE, most recent first.
GHSA-8JM2-4R4F-748V
Vulnerability from github – Published: 2024-03-25 06:30 – Updated: 2025-03-28 09:30HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may change the system settings.
{
"affected": [],
"aliases": [
"CVE-2024-29071"
],
"database_specific": {
"cwe_ids": [
"CWE-1391",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-25T04:15:09Z",
"severity": "HIGH"
},
"details": "HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may change the system settings.",
"id": "GHSA-8jm2-4r4f-748v",
"modified": "2025-03-28T09:30:30Z",
"published": "2024-03-25T06:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29071"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU93546510"
},
{
"type": "WEB",
"url": "https://kddi-tech.com/contents/appendix_L2_06.html#20304f4c-af1b-49fd-c3b5-8d1f55fd8b4f"
},
{
"type": "WEB",
"url": "https://www.au.com/support/service/internet/guide/modem/bl1500hm/firmware"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9V64-447R-WCH6
Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2024-01-24 21:21The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.2"
},
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.6.5"
},
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.5.8"
},
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-7845"
],
"database_specific": {
"cwe_ids": [
"CWE-1391"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-15T22:32:55Z",
"nvd_published_at": "2014-11-24T11:59:00Z",
"severity": "HIGH"
},
"details": "The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack.",
"id": "GHSA-9v64-447r-wch6",
"modified": "2024-01-24T21:21:56Z",
"published": "2022-05-13T01:12:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7845"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/04f2e83ce76cf931e6614497c1a7cc6c8afb9454"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/3128901f99d41d9368e81ffc67f4bc0535221e02"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/40a04658232d898223462f84d8cd35510338acbe"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/ece03f3b13c5eefa7bb008401b9414eed620eebc"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=275152"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20150914064838/http://www.securitytracker.com/id/1031215"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-47050"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2014/11/17/11"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Moodle Temporary Passwords are Brute Force-able"
}
GHSA-9X7X-HW35-PFRH
Vulnerability from github – Published: 2026-05-08 12:31 – Updated: 2026-05-08 15:31Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system.
{
"affected": [],
"aliases": [
"CVE-2026-8076"
],
"database_specific": {
"cwe_ids": [
"CWE-1391"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T12:16:29Z",
"severity": "CRITICAL"
},
"details": "Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system.",
"id": "GHSA-9x7x-hw35-pfrh",
"modified": "2026-05-08T15:31:20Z",
"published": "2026-05-08T12:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8076"
},
{
"type": "WEB",
"url": "https://labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-money"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C32J-VQHX-RX3X
Vulnerability from github – Published: 2026-05-18 17:24 – Updated: 2026-06-02 22:12JWT.decode(token, '', true, algorithm: 'HS256') accepts an attacker-forged token.
OpenSSL::HMAC.digest('SHA256', '', payload) returns a valid digest under an empty key, and no raise
InvalidKeyError if key.empty? precondition exists in the HMAC algorithm.
JWT.decode(token, "", true, algorithm: 'HS256')
-> JWA::Hmac.verify(verification_key: "", ...)
-> OpenSSL::HMAC.digest('SHA256', "", signing_input) == signature
The same path is reached when a keyfinder block or key_finder: argument returns "", nil, or an array containing nil for an unknown key. JWT::Decode#find_key only rejects literal nil and empty arrays, and JWT::JWA::Hmac silently coerces nil to "" (signing_key ||= '') before signing.
JWT.decode(token, nil, true, algorithms: ['HS256']) { |_h| "" }
-> find_key returns "" # "" && !Array("").empty? == true
-> JWA::Hmac.verify(verification_key: "", ...)
-> verifies
Common application patterns that produce the unsafe value: redis.get("kid:#{kid}").to_s, ORM string columns with default: '', ENV['SECRET'] || '', Hash.new('') lookups, [primary, fallback] where fallback may be nil. Applications passing a non-empty static key:, or whose keyfinder returns nil / raises on miss, are not affected.
The existing enforce_hmac_key_length option would block this but defaults to false. On OpenSSL ≥ 3.5 the empty-key HMAC.digest call no longer raises, so the OpenSSL-3.0 rescue in JWA::Hmac#sign does not fire.
Affects HS256/HS384/HS512 via both JWT.decode (positional key and block keyfinder) and
JWT::EncodedToken#verify_signature!(key_finder:)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "jwt"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "jwt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45363"
],
"database_specific": {
"cwe_ids": [
"CWE-1391",
"CWE-287",
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:24:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "`JWT.decode(token, \u0027\u0027, true, algorithm: \u0027HS256\u0027)` accepts an attacker-forged token.\n`OpenSSL::HMAC.digest(\u0027SHA256\u0027, \u0027\u0027, payload)` returns a valid digest under an empty key, and no `raise\n InvalidKeyError if key.empty?` precondition exists in the HMAC algorithm.\n\n```\nJWT.decode(token, \"\", true, algorithm: \u0027HS256\u0027)\n -\u003e JWA::Hmac.verify(verification_key: \"\", ...)\n -\u003e OpenSSL::HMAC.digest(\u0027SHA256\u0027, \"\", signing_input) == signature\n```\n\nThe same path is reached when a keyfinder block or key_finder: argument returns \"\", nil, or an\narray containing nil for an unknown key. JWT::Decode#find_key only rejects literal nil and empty\narrays, and JWT::JWA::Hmac silently coerces nil to \"\" (signing_key ||= \u0027\u0027) before signing.\n\n```\nJWT.decode(token, nil, true, algorithms: [\u0027HS256\u0027]) { |_h| \"\" }\n -\u003e find_key returns \"\" # \"\" \u0026\u0026 !Array(\"\").empty? == true\n -\u003e JWA::Hmac.verify(verification_key: \"\", ...)\n -\u003e verifies\n```\nCommon application patterns that produce the unsafe value: `redis.get(\"kid:#{kid}\").to_s`, ORM string columns with `default: \u0027\u0027`, `ENV[\u0027SECRET\u0027] || \u0027\u0027, Hash.new(\u0027\u0027)` lookups, [primary, fallback] where fallback may be nil. Applications passing a non-empty static key:, or whose keyfinder returns nil / raises on miss, are not affected.\n\nThe existing `enforce_hmac_key_length` option would block this but defaults to false. On OpenSSL \u2265 3.5 the empty-key HMAC.digest call no longer raises, so the OpenSSL-3.0 rescue in JWA::Hmac#sign does not fire.\n\nAffects HS256/HS384/HS512 via both JWT.decode (positional key and block keyfinder) and\n`JWT::EncodedToken#verify_signature!(key_finder:)`",
"id": "GHSA-c32j-vqhx-rx3x",
"modified": "2026-06-02T22:12:50Z",
"published": "2026-05-18T17:24:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jwt/ruby-jwt/security/advisories/GHSA-c32j-vqhx-rx3x"
},
{
"type": "WEB",
"url": "https://github.com/jwt/ruby-jwt/issues/724"
},
{
"type": "WEB",
"url": "https://github.com/jwt/ruby-jwt/commit/db560b769a07bd9724e77ff505011ac01872106f"
},
{
"type": "PACKAGE",
"url": "https://github.com/jwt/ruby-jwt"
},
{
"type": "WEB",
"url": "https://github.com/jwt/ruby-jwt/releases/tag/v2.10.3"
},
{
"type": "WEB",
"url": "https://github.com/jwt/ruby-jwt/releases/tag/v3.2.0"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jwt/CVE-2026-45363.yml"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45363"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351"
}
GHSA-CH84-4CGH-F3FC
Vulnerability from github – Published: 2026-04-17 09:31 – Updated: 2026-04-17 09:31Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a use of weak credentials vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to the system.
{
"affected": [],
"aliases": [
"CVE-2026-23853"
],
"database_specific": {
"cwe_ids": [
"CWE-1391"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-17T08:16:16Z",
"severity": "HIGH"
},
"details": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a use of weak credentials vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to the system.",
"id": "GHSA-ch84-4cgh-f3fc",
"modified": "2026-04-17T09:31:18Z",
"published": "2026-04-17T09:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23853"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CM8M-44XC-F932
Vulnerability from github – Published: 2026-01-26 12:30 – Updated: 2026-01-26 12:30The Access Manager 92xx in hardware revision K7 is based on Linux instead of Windows CE embedded in older hardware revisions. In this new hardware revision it was noticed that an SSH service is exposed on port 22. By analyzing the firmware of the devices, it was noticed that there are two users with hardcoded and weak passwords that can be used to access the devices via SSH. The passwords can be also guessed very easily. The password of at least one user is set to a random value after the first deployment, with the restriction that the password is only randomized if the configured date is prior to 2022. Therefore, under certain circumstances, the passwords are not randomized. For example, if the clock is never set on the device, the battery of the clock module has been changed, the Access Manager has been factory reset and has not received a time yet.
{
"affected": [],
"aliases": [
"CVE-2025-59103"
],
"database_specific": {
"cwe_ids": [
"CWE-1391"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-26T10:16:08Z",
"severity": "CRITICAL"
},
"details": "The Access Manager 92xx in hardware revision K7 is based on Linux instead of Windows CE embedded in older hardware revisions. In this new hardware revision it was noticed that an SSH service is exposed on port 22. By analyzing the firmware of the devices, it was noticed that there are two users with hardcoded and weak passwords that can be used to access the devices via SSH. The passwords can be also guessed very easily. The password of at least one user is set to a random value after the first deployment, with the restriction that the password is only randomized if the configured date is prior to 2022. Therefore, under certain circumstances, the passwords are not randomized. For example, if the clock is never set on the device, the battery of the clock module has been changed, the Access Manager has been factory reset and has not received a time yet.",
"id": "GHSA-cm8m-44xc-f932",
"modified": "2026-01-26T12:30:29Z",
"published": "2026-01-26T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59103"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/dkaccess"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/dormakaba"
},
{
"type": "WEB",
"url": "https://www.dormakabagroup.com/en/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CRRP-JMHW-5CXR
Vulnerability from github – Published: 2024-07-10 18:32 – Updated: 2024-07-10 18:32Under certain circumstances the Software House C●CURE 9000 installer will utilize weak credentials.
{
"affected": [],
"aliases": [
"CVE-2024-32759"
],
"database_specific": {
"cwe_ids": [
"CWE-1391"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T18:15:03Z",
"severity": "HIGH"
},
"details": "Under certain circumstances the Software House C\u25cfCURE 9000 installer will utilize weak credentials.",
"id": "GHSA-crrp-jmhw-5cxr",
"modified": "2024-07-10T18:32:17Z",
"published": "2024-07-10T18:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32759"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-04"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F629-3Q3F-3V3G
Vulnerability from github – Published: 2025-08-18 21:31 – Updated: 2025-08-18 21:31TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain insecure credentials for the telnet service and root account.
{
"affected": [],
"aliases": [
"CVE-2025-55584"
],
"database_specific": {
"cwe_ids": [
"CWE-1391"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-18T20:15:30Z",
"severity": "MODERATE"
},
"details": "TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain insecure credentials for the telnet service and root account.",
"id": "GHSA-f629-3q3f-3v3g",
"modified": "2025-08-18T21:31:20Z",
"published": "2025-08-18T21:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55584"
},
{
"type": "WEB",
"url": "https://github.com/goldenGlow21/softwares_PoC/blob/main/A3002R_V4/Telnet/PoC.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F74C-6MFP-RG2Q
Vulnerability from github – Published: 2024-04-02 12:30 – Updated: 2024-09-30 12:30A Use of Weak Credentials vulnerability affecting the Wi-Fi network generated by a set of DJI drones could allow a remote attacker to derive the WPA2 PSK key and authenticate without permission to the drone’s Wi- Fi network. This, in turn, allows the attacker to perform unauthorized interaction with the network services exposed by the drone and to potentially decrypt the Wi-Fi traffic exchanged between the drone and the Android/IOS device of the legitimate user during QuickTransfer mode. Affected models are Mavic 3 Pro until v01.01.0300, Mavic 3 until v01.00.1200, Mavic 3 Classic until v01.00.0500, Mavic 3 Enterprise until v07.01.10.03, Matrice 300 until v57.00.01.00, Matrice M30 until v07.01.0022 and Mini 3 Pro until v01.00.0620.
{
"affected": [],
"aliases": [
"CVE-2023-6951"
],
"database_specific": {
"cwe_ids": [
"CWE-1391",
"CWE-334"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T11:15:51Z",
"severity": "MODERATE"
},
"details": "A Use of Weak Credentials vulnerability affecting the Wi-Fi network generated by a set of DJI drones could allow a remote attacker to derive the WPA2 PSK key and authenticate without permission to the drone\u2019s Wi- Fi network. This, in turn, allows the attacker to perform unauthorized interaction with the network services exposed by the drone and to potentially decrypt the Wi-Fi traffic exchanged between the drone and the Android/IOS device of the legitimate user during QuickTransfer mode. Affected models are Mavic 3 Pro until v01.01.0300, Mavic 3 until v01.00.1200, Mavic 3 Classic until v01.00.0500, Mavic 3 Enterprise until v07.01.10.03, Matrice 300 until v57.00.01.00, Matrice M30 until v07.01.0022 and Mini 3 Pro until v01.00.0620.",
"id": "GHSA-f74c-6mfp-rg2q",
"modified": "2024-09-30T12:30:33Z",
"published": "2024-04-02T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6951"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2023-6951"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F7VV-Q49X-RVWW
Vulnerability from github – Published: 2024-10-07 15:31 – Updated: 2024-10-07 15:31The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources.
{
"affected": [],
"aliases": [
"CVE-2024-42027"
],
"database_specific": {
"cwe_ids": [
"CWE-1391"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-07T13:15:15Z",
"severity": "MODERATE"
},
"details": "The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources.",
"id": "GHSA-f7vv-q49x-rvww",
"modified": "2024-10-07T15:31:39Z",
"published": "2024-10-07T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42027"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2546437"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
When the user changes or sets a password, check the password against a database of already compromised or breached passwords. These passwords are likely to be used in password guessing attacks.
No CAPEC attack patterns related to this CWE.