CWE-328
AllowedUse of Weak Hash
Abstraction: Base · Status: Draft
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
149 vulnerabilities reference this CWE, most recent first.
GHSA-HV9M-498V-FP67
Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2025-05-22 21:30Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.
{
"affected": [],
"aliases": [
"CVE-2019-13539"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-328"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-08T20:15:00Z",
"severity": "HIGH"
},
"details": "Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.",
"id": "GHSA-hv9m-498v-fp67",
"modified": "2025-05-22T21:30:31Z",
"published": "2022-05-24T22:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13539"
},
{
"type": "WEB",
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/valleylab-generator-rfid-vulnerabilities.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-311-02"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HX2H-VJW2-8R54
Vulnerability from github – Published: 2025-09-17 20:11 – Updated: 2025-09-26 16:19Impact
The DragonFly2 uses a variety of hash functions, including the MD5 hash. This algorithm does not provide collision resistance; it is secure only against preimage attacks. While these security guarantees may be enough for the DragonFly2 system, it is not completely clear if there are any scenarios where lack of the collision resistance would compromise the system. There are no clear benefits to keeping the MD5 hash function in the system.
var pieceDigests []string
for i := int32(0); i < t.TotalPieces; i++ {
pieceDigests = append(pieceDigests, t.Pieces[i].Md5)
}
digest := digest.SHA256FromStrings(pieceDigests...)
if digest != t.PieceMd5Sign {
t.Errorf("invalid digest, desired: %s, actual: %s", t.PieceMd5Sign, digest)
t.invalid.Store(true)
return ErrInvalidDigest
}
Alice, a peer in the DragonFly2 system, creates two images: an innocent one, and one with malicious code. Both images consist of two pieces, and Alice generates the pieces so that their respective MD5 hashes collide (are the same). Therefore, the PieceMd5Sign metadata of both images are equal. Alice shares the innocent image with other peers, who attest to their validity (i.e., that it works as expected and is not malicious). Bob wants to download the image and requests it from the peer-to-peer network. After downloading the image, Bob checks its integrity with a SHA256 hash that is known to him. Alice, who is participating in the network, had already provided Bob the other image, the malicious one. Bob unintentionally uses the malicious image.
Patches
- Dragonfy v2.1.0 and above.
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at dragonfly-maintainers@googlegroups.com.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/dragonflyoss/dragonfly"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "d7y.io/dragonfly/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59354"
],
"database_specific": {
"cwe_ids": [
"CWE-328"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-17T20:11:58Z",
"nvd_published_at": "2025-09-17T20:15:38Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe DragonFly2 uses a variety of hash functions, including the MD5 hash. This algorithm does not provide collision resistance; it is secure only against preimage attacks. While these security guarantees may be enough for the DragonFly2 system, it is not completely clear if there are any scenarios where lack of the collision resistance would compromise the system. There are no clear benefits to keeping the MD5 hash function in the system.\n\n```golang\nvar pieceDigests []string\nfor i := int32(0); i \u003c t.TotalPieces; i++ {\n pieceDigests = append(pieceDigests, t.Pieces[i].Md5)\n}\ndigest := digest.SHA256FromStrings(pieceDigests...)\nif digest != t.PieceMd5Sign {\n t.Errorf(\"invalid digest, desired: %s, actual: %s\", t.PieceMd5Sign, digest)\n t.invalid.Store(true)\n return ErrInvalidDigest\n}\n```\n\nAlice, a peer in the DragonFly2 system, creates two images: an innocent one, and one with malicious code. Both images consist of two pieces, and Alice generates the pieces so that their respective MD5 hashes collide (are the same). Therefore, the PieceMd5Sign metadata of both images are equal. Alice shares the innocent image with other peers, who attest to their validity (i.e., that it works as expected and is not malicious). Bob wants to download the image and requests it from the peer-to-peer network. After downloading the image, Bob checks its integrity with a SHA256 hash that is known to him. Alice, who is participating in the network, had already provided Bob the other image, the malicious one. Bob unintentionally uses the malicious image.\n\n### Patches\n\n- Dragonfy v2.1.0 and above.\n\n### Workarounds\n\nThere are no effective workarounds, beyond upgrading.\n\n### References\n\nA third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf).\n\nIf you have any questions or comments about this advisory, please email us at [dragonfly-maintainers@googlegroups.com](mailto:dragonfly-maintainers@googlegroups.com).",
"id": "GHSA-hx2h-vjw2-8r54",
"modified": "2025-09-26T16:19:42Z",
"published": "2025-09-17T20:11:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-hx2h-vjw2-8r54"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59354"
},
{
"type": "PACKAGE",
"url": "https://github.com/dragonflyoss/dragonfly"
},
{
"type": "WEB",
"url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3973"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "DragonFly has weak integrity checks for downloaded files"
}
GHSA-J4J6-8W77-M9G6
Vulnerability from github – Published: 2025-03-14 15:32 – Updated: 2025-03-14 15:32The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily calculated by an attacker. This impacts the security and the integrity of the device.
{
"affected": [],
"aliases": [
"CVE-2025-27595"
],
"database_specific": {
"cwe_ids": [
"CWE-328"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-14T13:15:40Z",
"severity": "CRITICAL"
},
"details": "The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily calculated by an attacker. This impacts the security and the integrity of the device.",
"id": "GHSA-j4j6-8w77-m9g6",
"modified": "2025-03-14T15:32:03Z",
"published": "2025-03-14T15:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27595"
},
{
"type": "WEB",
"url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
},
{
"type": "WEB",
"url": "https://github.security.telekom.com/2025/03/multiple-vulnerabilities-in-sick-dl100.html"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMX5-5G59-G2RW
Vulnerability from github – Published: 2024-02-02 00:31 – Updated: 2025-08-07 21:31Gessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm. The attacker can restore the passwords by breaking the hashes stored on the device.
{
"affected": [],
"aliases": [
"CVE-2024-1040"
],
"database_specific": {
"cwe_ids": [
"CWE-327",
"CWE-328"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-01T22:15:55Z",
"severity": "MODERATE"
},
"details": "Gessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm. The attacker can restore the passwords by breaking the hashes stored on the device.",
"id": "GHSA-jmx5-5g59-g2rw",
"modified": "2025-08-07T21:31:03Z",
"published": "2024-02-02T00:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1040"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXC4-W54C-QV5R
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2026-02-06 22:58An issue was discovered in Mattermost Server before 3.8.2 and 3.7.5. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.5-0.20170421192444-247cd1e51a8c"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-18917"
],
"database_specific": {
"cwe_ids": [
"CWE-328"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T22:58:55Z",
"nvd_published_at": "2020-06-19T20:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Mattermost Server before 3.8.2 and 3.7.5. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.",
"id": "GHSA-jxc4-w54c-qv5r",
"modified": "2026-02-06T22:58:55Z",
"published": "2022-05-24T17:21:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18917"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/247cd1e51a8c943628dc650e87e794b06aad4c2b"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/b74e85653660525d351d090a1e1874ae933bcbc8"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations"
}
GHSA-M8V7-7WRX-2VVH
Vulnerability from github – Published: 2026-03-09 09:30 – Updated: 2026-03-09 09:30An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates.
{
"affected": [],
"aliases": [
"CVE-2025-41762"
],
"database_specific": {
"cwe_ids": [
"CWE-328"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-09T09:16:00Z",
"severity": "MODERATE"
},
"details": "An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates.",
"id": "GHSA-m8v7-7wrx-2vvh",
"modified": "2026-03-09T09:30:31Z",
"published": "2026-03-09T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41762"
},
{
"type": "WEB",
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MPJ8-Q39X-WQ5H
Vulnerability from github – Published: 2023-10-25 21:14 – Updated: 2023-11-08 17:43Impact
Summary
Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both (1) defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005 and (2) defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. Remediation of this issue might be very difficult, as the changes required to fix this issue would change the output of this method and thus break most, if not all, current uses of this method as configured by default.
Potential Impact:
- If used to protect passwords, the impact is high.
- If used to generate signatures, the impact is high.
Probability / risk analysis / attack enumeration:
- [For at most $45,000][SHA1 is a Shambles], an attacker, given control of only the beginning of a crypto-js PBKDF2 input, can create a value which has identical cryptographic signature to any chosen known value.
- Due to the length extension attack on SHA1, we can create a value that has identical signature to any unknown value, provided it is prefixed by a known value. It does not matter if PBKDF2 applies 'salt' or 'pepper' or any other secret unknown to the attacker. It will still create an identical signature.
[SHA1 is a Shambles]: https://eprint.iacr.org/2020/014.pdf "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust, Gaëtan Leurent and Thomas Peyrin"
crypto-js has 10,642 public users as displayed on NPM, today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.
A very rough GitHub search shows 432 files cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.
Affected versions
All versions are impacted. This code has been the same since crypto-js was first created.
Further Cryptanalysis
The issue here is especially egregious because the length extension attack makes useless any secret that might be appended to the plaintext before calculating its signature.
Consider a scheme in which a secret is created for a user's username, and that secret is used to protect e.g. their passwords. Let's say that password is 'fake-password', and their username is 'example-username'.
To encrypt the user password via symmetric encryption we might do encrypt(plaintext: 'fake-password', encryption_key: cryptojs.pbkdf2(value: 'example username' + salt_or_pepper)). By this means, we would, in theory, create an encryption_key that can be determined from the public username, but which requires the secret salt_or_pepper to generate. This is a common scheme for protecting passwords, as exemplified in bcrypt & scrypt. Because the encryption key is symmetric, we can use this derived key to also decrypt the ciphertext.
Because of the length extension issue, if the attacker obtains (via attack 1), a collision with 'example username', the attacker does not need to know salt_or_pepper to decrypt their account data, only their public username.
Description
PBKDF2 is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password's entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).
Unlike the modern webcrypto standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 1993, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, OWASP recommends 1,300,000:
https://github.com/entronad/crypto-es/blob/aa48d48413549addc06cd737a272466d5fc1b5e6/lib/pbkdf2.js#L35-L39
Workarounds
Consult the OWASP PBKDF2 Cheatsheet. Configure to use SHA256 with at least 250,000 iterations.
Coordinated disclosure
This issue was simultaneously submitted to crypto-js and crypto-es on the 23rd of October 2023.
Caveats
This issue was found in a security review that was not scoped to crypto-es. This report is not an indication that crypto-es has undergone a formal security assessment by the author.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "crypto-es"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46133"
],
"database_specific": {
"cwe_ids": [
"CWE-327",
"CWE-328",
"CWE-916"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-25T21:14:44Z",
"nvd_published_at": "2023-10-25T21:15:10Z",
"severity": "CRITICAL"
},
"details": "### Impact\n#### Summary\nCrypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current industry standard][OWASP PBKDF2 Cheatsheet]. This is because it both (1) defaults to [SHA1][SHA1 wiki], a cryptographic hash algorithm considered insecure [since at least 2005][Cryptanalysis of SHA-1] and (2) defaults to [one single iteration][one iteration src], a \u0027strength\u0027 or \u0027difficulty\u0027 value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to [preimage][preimage attack] and [collision][collision attack] attacks. Remediation of this issue might be very difficult, as the changes required to fix this issue would change the output of this method and thus break most, if not all, current uses of this method as configured by default.\n\nPotential Impact:\n\n1. If used to protect passwords, the impact is high.\n2. If used to generate signatures, the impact is high.\n\nProbability / risk analysis / attack enumeration:\n\n1. [For at most $45,000][SHA1 is a Shambles], an attacker, given control of only the beginning of a crypto-js PBKDF2 input, can create a value which has _identical cryptographic signature_ to any chosen known value.\n4. Due to the [length extension attack] on SHA1, we can create a value that has identical signature to any _unknown_ value, provided it is prefixed by a known value. It does not matter if PBKDF2 applies \u0027[salt][cryptographic salt]\u0027 or \u0027[pepper][cryptographic pepper]\u0027 or any other secret unknown to the attacker. It will still create an identical signature.\n\n[cryptographic salt]: https://en.wikipedia.org/wiki/Salt_(cryptography) \"Salt (cryptography), Wikipedia\"\n[cryptographic pepper]: https://en.wikipedia.org/wiki/Pepper_(cryptography) \"Pepper (cryptography), Wikipedia\"\n[SHA1 wiki]: https://en.wikipedia.org/wiki/SHA-1 \"SHA-1, Wikipedia\"\n[Cryptanalysis of SHA-1]: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html \"Cryptanalysis of SHA-1\"\n[one iteration src]: https://github.com/brix/crypto-js/blob/1da3dabf93f0a0435c47627d6f171ad25f452012/src/pbkdf2.js#L22-L26 \"crypto-js/src/pbkdf2.js lines 22-26\"\n[collision attack]: https://en.wikipedia.org/wiki/Hash_collision \"Collision Attack, Wikipedia\"\n[preimage attack]: https://en.wikipedia.org/wiki/Preimage_attack \"Preimage Attack, Wikipedia\"\n[SHA1 is a Shambles]: https://eprint.iacr.org/2020/014.pdf \"SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1\nand Application to the PGP Web of Trust, Ga\u00ebtan Leurent and Thomas Peyrin\"\n[Length Extension attack]: https://en.wikipedia.org/wiki/Length_extension_attack \"Length extension attack, Wikipedia\"\n\ncrypto-js has 10,642 public users [as displayed on NPM][crypto-js, NPM], today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.\n\nA very rough GitHub search[ shows 432 files][GitHub search: affected files] cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.\n\n[OWASP PBKDF2 Cheatsheet]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 \"OWASP PBKDF2 Cheatsheet\"\n[crypto-js, NPM]: https://www.npmjs.com/package/crypto-js \"crypto-js on NPM\"\n[GitHub search: affected files]: https://github.com/search?q=%22crypto-js%22+AND+pbkdf2+AND+%28lang%3AJavaScript+OR+lang%3ATypeScript%29++NOT+%22iterations%22\u0026type=code\u0026p=2 \"GitHub search: crypto-js AND pbkdf2 AND (lang:JavaScript OR lang:TypeScript) NOT iterations\"\n\n#### Affected versions\nAll versions are impacted. This code has been the same since crypto-js was first created.\n\n#### Further Cryptanalysis\n\nThe issue here is especially egregious because the length extension attack makes useless any secret that might be appended to the plaintext before calculating its signature.\n\nConsider a scheme in which a secret is created for a user\u0027s username, and that secret is used to protect e.g. their passwords. Let\u0027s say that password is \u0027fake-password\u0027, and their username is \u0027example-username\u0027.\n\nTo encrypt the user password via symmetric encryption we might do `encrypt(plaintext: \u0027fake-password\u0027, encryption_key: cryptojs.pbkdf2(value: \u0027example username\u0027 + salt_or_pepper))`. By this means, we would, in theory, create an `encryption_key` that can be determined from the public username, but which requires the secret `salt_or_pepper` to generate. This is a common scheme for protecting passwords, as exemplified in bcrypt \u0026 scrypt. Because the encryption key is symmetric, we can use this derived key to also decrypt the ciphertext.\n\nBecause of the length extension issue, if the attacker obtains (via attack 1), a collision with \u0027example username\u0027, the attacker _does not need to know_ `salt_or_pepper` to decrypt their account data, only their public username.\n\n### Description\n\nPBKDF2 is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password\u0027s entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).\n\nUnlike the modern [webcrypto](https://w3c.github.io/webcrypto/#pbkdf2-operations) standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 1993, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, [OWASP recommends 1,300,000][OWASP PBKDF2 Cheatsheet]:\n\nhttps://github.com/entronad/crypto-es/blob/aa48d48413549addc06cd737a272466d5fc1b5e6/lib/pbkdf2.js#L35-L39\n\n### Workarounds\nConsult the [OWASP PBKDF2 Cheatsheet]. Configure to use SHA256 with at least 250,000 iterations.\n\n### Coordinated disclosure\nThis issue was simultaneously submitted to [crypto-js](https://github.com/brix/crypto-js) and [crypto-es](https://github.com/entronad/crypto-es) on the 23rd of October 2023.\n\n### Caveats\n\nThis issue was found in a security review that was _not_ scoped to crypto-es. This report is not an indication that crypto-es has undergone a formal security assessment by the author.\n\n\n",
"id": "GHSA-mpj8-q39x-wq5h",
"modified": "2023-11-08T17:43:32Z",
"published": "2023-10-25T21:14:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46133"
},
{
"type": "WEB",
"url": "https://github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757"
},
{
"type": "PACKAGE",
"url": "https://github.com/entronad/crypto-es"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard"
}
GHSA-MQ9C-J62J-H6CJ
Vulnerability from github – Published: 2023-11-14 12:30 – Updated: 2025-01-14 12:31A vulnerability has been identified in SCALANCE XB205-3 (SC, PN) (All versions < V4.5), SCALANCE XB205-3 (ST, E/IP) (All versions < V4.5), SCALANCE XB205-3 (ST, E/IP) (All versions < V4.5), SCALANCE XB205-3 (ST, PN) (All versions < V4.5), SCALANCE XB205-3LD (SC, E/IP) (All versions < V4.5), SCALANCE XB205-3LD (SC, PN) (All versions < V4.5), SCALANCE XB208 (E/IP) (All versions < V4.5), SCALANCE XB208 (PN) (All versions < V4.5), SCALANCE XB213-3 (SC, E/IP) (All versions < V4.5), SCALANCE XB213-3 (SC, PN) (All versions < V4.5), SCALANCE XB213-3 (ST, E/IP) (All versions < V4.5), SCALANCE XB213-3 (ST, PN) (All versions < V4.5), SCALANCE XB213-3LD (SC, E/IP) (All versions < V4.5), SCALANCE XB213-3LD (SC, PN) (All versions < V4.5), SCALANCE XB216 (E/IP) (All versions < V4.5), SCALANCE XB216 (PN) (All versions < V4.5), SCALANCE XC206-2 (SC) (All versions < V4.5), SCALANCE XC206-2 (ST/BFOC) (All versions < V4.5), SCALANCE XC206-2G PoE (All versions < V4.5), SCALANCE XC206-2G PoE (54 V DC) (All versions < V4.5), SCALANCE XC206-2G PoE EEC (54 V DC) (All versions < V4.5), SCALANCE XC206-2SFP (All versions < V4.5), SCALANCE XC206-2SFP EEC (All versions < V4.5), SCALANCE XC206-2SFP G (All versions < V4.5), SCALANCE XC206-2SFP G (EIP DEF.) (All versions < V4.5), SCALANCE XC206-2SFP G EEC (All versions < V4.5), SCALANCE XC208 (All versions < V4.5), SCALANCE XC208EEC (All versions < V4.5), SCALANCE XC208G (All versions < V4.5), SCALANCE XC208G (EIP def.) (All versions < V4.5), SCALANCE XC208G EEC (All versions < V4.5), SCALANCE XC208G PoE (All versions < V4.5), SCALANCE XC208G PoE (54 V DC) (All versions < V4.5), SCALANCE XC216 (All versions < V4.5), SCALANCE XC216-3G PoE (All versions < V4.5), SCALANCE XC216-3G PoE (54 V DC) (All versions < V4.5), SCALANCE XC216-4C (All versions < V4.5), SCALANCE XC216-4C G (All versions < V4.5), SCALANCE XC216-4C G (EIP Def.) (All versions < V4.5), SCALANCE XC216-4C G EEC (All versions < V4.5), SCALANCE XC216EEC (All versions < V4.5), SCALANCE XC224 (All versions < V4.5), SCALANCE XC224-4C G (All versions < V4.5), SCALANCE XC224-4C G (EIP Def.) (All versions < V4.5), SCALANCE XC224-4C G EEC (All versions < V4.5), SCALANCE XF204 (All versions < V4.5), SCALANCE XF204 DNA (All versions < V4.5), SCALANCE XF204-2BA (All versions < V4.5), SCALANCE XF204-2BA DNA (All versions < V4.5), SCALANCE XP208 (All versions < V4.5), SCALANCE XP208 (Ethernet/IP) (All versions < V4.5), SCALANCE XP208EEC (All versions < V4.5), SCALANCE XP208PoE EEC (All versions < V4.5), SCALANCE XP216 (All versions < V4.5), SCALANCE XP216 (Ethernet/IP) (All versions < V4.5), SCALANCE XP216EEC (All versions < V4.5), SCALANCE XP216POE EEC (All versions < V4.5), SCALANCE XR324WG (24 x FE, AC 230V) (All versions < V4.5), SCALANCE XR324WG (24 X FE, DC 24V) (All versions < V4.5), SCALANCE XR326-2C PoE WG (All versions < V4.5), SCALANCE XR326-2C PoE WG (without UL) (All versions < V4.5), SCALANCE XR328-4C WG (24XFE, 4XGE, 24V) (All versions < V4.5), SCALANCE XR328-4C WG (24xFE, 4xGE,DC24V) (All versions < V4.5), SCALANCE XR328-4C WG (24xFE,4xGE,AC230V) (All versions < V4.5), SCALANCE XR328-4C WG (24xFE,4xGE,AC230V) (All versions < V4.5), SCALANCE XR328-4C WG (28xGE, AC 230V) (All versions < V4.5), SCALANCE XR328-4C WG (28xGE, DC 24V) (All versions < V4.5), SIPLUS NET SCALANCE XC206-2 (All versions < V4.5), SIPLUS NET SCALANCE XC206-2SFP (All versions < V4.5), SIPLUS NET SCALANCE XC208 (All versions < V4.5), SIPLUS NET SCALANCE XC216-4C (All versions < V4.5). Affected devices use a weak checksum algorithm to protect the configuration backup that an administrator can export from the device. This could allow an authenticated attacker with administrative privileges or an attacker that tricks a legitimate administrator to upload a modified configuration file to change the configuration of an affected device.
{
"affected": [],
"aliases": [
"CVE-2023-44319"
],
"database_specific": {
"cwe_ids": [
"CWE-328"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T11:15:12Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SCALANCE XB205-3 (SC, PN) (All versions \u003c V4.5), SCALANCE XB205-3 (ST, E/IP) (All versions \u003c V4.5), SCALANCE XB205-3 (ST, E/IP) (All versions \u003c V4.5), SCALANCE XB205-3 (ST, PN) (All versions \u003c V4.5), SCALANCE XB205-3LD (SC, E/IP) (All versions \u003c V4.5), SCALANCE XB205-3LD (SC, PN) (All versions \u003c V4.5), SCALANCE XB208 (E/IP) (All versions \u003c V4.5), SCALANCE XB208 (PN) (All versions \u003c V4.5), SCALANCE XB213-3 (SC, E/IP) (All versions \u003c V4.5), SCALANCE XB213-3 (SC, PN) (All versions \u003c V4.5), SCALANCE XB213-3 (ST, E/IP) (All versions \u003c V4.5), SCALANCE XB213-3 (ST, PN) (All versions \u003c V4.5), SCALANCE XB213-3LD (SC, E/IP) (All versions \u003c V4.5), SCALANCE XB213-3LD (SC, PN) (All versions \u003c V4.5), SCALANCE XB216 (E/IP) (All versions \u003c V4.5), SCALANCE XB216 (PN) (All versions \u003c V4.5), SCALANCE XC206-2 (SC) (All versions \u003c V4.5), SCALANCE XC206-2 (ST/BFOC) (All versions \u003c V4.5), SCALANCE XC206-2G PoE (All versions \u003c V4.5), SCALANCE XC206-2G PoE (54 V DC) (All versions \u003c V4.5), SCALANCE XC206-2G PoE EEC (54 V DC) (All versions \u003c V4.5), SCALANCE XC206-2SFP (All versions \u003c V4.5), SCALANCE XC206-2SFP EEC (All versions \u003c V4.5), SCALANCE XC206-2SFP G (All versions \u003c V4.5), SCALANCE XC206-2SFP G (EIP DEF.) (All versions \u003c V4.5), SCALANCE XC206-2SFP G EEC (All versions \u003c V4.5), SCALANCE XC208 (All versions \u003c V4.5), SCALANCE XC208EEC (All versions \u003c V4.5), SCALANCE XC208G (All versions \u003c V4.5), SCALANCE XC208G (EIP def.) (All versions \u003c V4.5), SCALANCE XC208G EEC (All versions \u003c V4.5), SCALANCE XC208G PoE (All versions \u003c V4.5), SCALANCE XC208G PoE (54 V DC) (All versions \u003c V4.5), SCALANCE XC216 (All versions \u003c V4.5), SCALANCE XC216-3G PoE (All versions \u003c V4.5), SCALANCE XC216-3G PoE (54 V DC) (All versions \u003c V4.5), SCALANCE XC216-4C (All versions \u003c V4.5), SCALANCE XC216-4C G (All versions \u003c V4.5), SCALANCE XC216-4C G (EIP Def.) (All versions \u003c V4.5), SCALANCE XC216-4C G EEC (All versions \u003c V4.5), SCALANCE XC216EEC (All versions \u003c V4.5), SCALANCE XC224 (All versions \u003c V4.5), SCALANCE XC224-4C G (All versions \u003c V4.5), SCALANCE XC224-4C G (EIP Def.) (All versions \u003c V4.5), SCALANCE XC224-4C G EEC (All versions \u003c V4.5), SCALANCE XF204 (All versions \u003c V4.5), SCALANCE XF204 DNA (All versions \u003c V4.5), SCALANCE XF204-2BA (All versions \u003c V4.5), SCALANCE XF204-2BA DNA (All versions \u003c V4.5), SCALANCE XP208 (All versions \u003c V4.5), SCALANCE XP208 (Ethernet/IP) (All versions \u003c V4.5), SCALANCE XP208EEC (All versions \u003c V4.5), SCALANCE XP208PoE EEC (All versions \u003c V4.5), SCALANCE XP216 (All versions \u003c V4.5), SCALANCE XP216 (Ethernet/IP) (All versions \u003c V4.5), SCALANCE XP216EEC (All versions \u003c V4.5), SCALANCE XP216POE EEC (All versions \u003c V4.5), SCALANCE XR324WG (24 x FE, AC 230V) (All versions \u003c V4.5), SCALANCE XR324WG (24 X FE, DC 24V) (All versions \u003c V4.5), SCALANCE XR326-2C PoE WG (All versions \u003c V4.5), SCALANCE XR326-2C PoE WG (without UL) (All versions \u003c V4.5), SCALANCE XR328-4C WG (24XFE, 4XGE, 24V) (All versions \u003c V4.5), SCALANCE XR328-4C WG (24xFE, 4xGE,DC24V) (All versions \u003c V4.5), SCALANCE XR328-4C WG (24xFE,4xGE,AC230V) (All versions \u003c V4.5), SCALANCE XR328-4C WG (24xFE,4xGE,AC230V) (All versions \u003c V4.5), SCALANCE XR328-4C WG (28xGE, AC 230V) (All versions \u003c V4.5), SCALANCE XR328-4C WG (28xGE, DC 24V) (All versions \u003c V4.5), SIPLUS NET SCALANCE XC206-2 (All versions \u003c V4.5), SIPLUS NET SCALANCE XC206-2SFP (All versions \u003c V4.5), SIPLUS NET SCALANCE XC208 (All versions \u003c V4.5), SIPLUS NET SCALANCE XC216-4C (All versions \u003c V4.5). Affected devices use a weak checksum algorithm to protect the configuration backup that an administrator can export from the device. This could allow an authenticated attacker with administrative privileges or an attacker that tricks a legitimate administrator to upload a modified configuration file to change the configuration of an affected device.",
"id": "GHSA-mq9c-j62j-h6cj",
"modified": "2025-01-14T12:31:48Z",
"published": "2023-11-14T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44319"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-180704.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-602936.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-690517.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-699386.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-180704.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-699386.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P383-F595-X4QW
Vulnerability from github – Published: 2022-10-11 12:00 – Updated: 2022-10-11 19:00The aeson library is not safe to use to consume untrusted JSON input. A remote user could abuse this flaw to produce a hash collision in the underlying unordered-containers library by sending specially crafted JSON data, resulting in a denial of service.
{
"affected": [],
"aliases": [
"CVE-2022-3433"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-328",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-10T22:15:00Z",
"severity": "MODERATE"
},
"details": "The aeson library is not safe to use to consume untrusted JSON input. A remote user could abuse this flaw to produce a hash collision in the underlying unordered-containers library by sending specially crafted JSON data, resulting in a denial of service.",
"id": "GHSA-p383-f595-x4qw",
"modified": "2022-10-11T19:00:25Z",
"published": "2022-10-11T12:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3433"
},
{
"type": "WEB",
"url": "https://cs-syd.eu/posts/2021-09-11-json-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFV5-96R6-W6P5
Vulnerability from github – Published: 2025-01-02 18:30 – Updated: 2025-01-02 18:30Web installer integrity check used weak hash algorithm. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.
{
"affected": [],
"aliases": [
"CVE-2024-56414"
],
"database_specific": {
"cwe_ids": [
"CWE-328"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-02T16:15:08Z",
"severity": "MODERATE"
},
"details": "Web installer integrity check used weak hash algorithm. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.",
"id": "GHSA-pfv5-96r6-w6p5",
"modified": "2025-01-02T18:30:36Z",
"published": "2025-01-02T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56414"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-1911"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-51
- Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use.
- Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead.
- Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.
CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.
CAPEC-68: Subvert Code-signing Facilities
Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack.