Common Weakness Enumeration

CWE-916

Allowed

Use of Password Hash With Insufficient Computational Effort

Abstraction: Base · Status: Incomplete

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

162 vulnerabilities reference this CWE, most recent first.

GHSA-CXPW-9682-4RMH

Vulnerability from github – Published: 2022-03-22 00:00 – Updated: 2026-07-05 00:31
VLAI
Details

BigAnt Software BigAnt Server v5.6.06 was discovered to utilize weak password hashes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-21T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "BigAnt Software BigAnt Server v5.6.06 was discovered to utilize weak password hashes.",
  "id": "GHSA-cxpw-9682-4rmh",
  "modified": "2026-07-05T00:31:26Z",
  "published": "2022-03-22T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23348"
    },
    {
      "type": "WEB",
      "url": "https://www.bigantsoft.com"
    },
    {
      "type": "WEB",
      "url": "http://bigant.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F458-CXQH-JGV3

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40
VLAI
Details

Use of Password Hash With Insufficient Computational Effort in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows a remote attacker with admin privileges to dump the credentials of other users and possibly recover their plain-text passwords by brute-forcing the MD5 hash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6780"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-26T18:16:00Z",
    "severity": "MODERATE"
  },
  "details": "Use of Password Hash With Insufficient Computational Effort in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows a remote attacker with admin privileges to dump the credentials of other users and possibly recover their plain-text passwords by brute-forcing the MD5 hash.",
  "id": "GHSA-f458-cxqh-jgv3",
  "modified": "2022-05-24T17:40:18Z",
  "published": "2022-05-24T17:40:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6780"
    },
    {
      "type": "WEB",
      "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-332072-BT.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F6XC-RCX3-3C9H

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

Davolink DVW-3200N all version prior to Version 1.00.06. The device generates a weak password hash that is easily cracked, allowing a remote attacker to obtain the password for the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-01T18:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Davolink DVW-3200N all version prior to Version 1.00.06. The device generates a weak password hash that is easily cracked, allowing a remote attacker to obtain the password for the device.",
  "id": "GHSA-f6xc-rcx3-3c9h",
  "modified": "2022-05-13T01:34:59Z",
  "published": "2022-05-13T01:34:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10618"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-212-01"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45076"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104940"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FH32-35W2-RXCC

Vulnerability from github – Published: 2022-05-02 03:53 – Updated: 2022-06-17 22:23
VLAI
Summary
Use of Password Hash With Insufficient Computational Effort in Apache Derby
Details

The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.5.3.01"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.derby:derby"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.6.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2009-4269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T22:23:08Z",
    "nvd_published_at": "2010-08-16T20:00:00Z",
    "severity": "MODERATE"
  },
  "details": "The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.",
  "id": "GHSA-fh32-35w2-rxcc",
  "modified": "2022-06-17T22:23:08Z",
  "published": "2022-05-02T03:53:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4269"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/derby/commit/178ca0cfb796b5a5788d25ded0978773ea254332"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/derby/commit/23f97a597716ee5b08eff698b7177850ad8e1294"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/derby/commit/3b82686e32a8d4fa2027350279104f9b243b35d6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/derby/commit/60edeb0cb29daf9d28ece1863db779c1af5a3f62"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/derby/commit/8c305e2f3fad1c3a4f98c06c7f2b53e2bfdd308c"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/DERBY-4483"
    },
    {
      "type": "WEB",
      "url": "http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=apache-db-general\u0026m=127428514905504\u0026w=1"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Use of Password Hash With Insufficient Computational Effort in Apache Derby"
}

GHSA-G29V-Q6H7-76WH

Vulnerability from github – Published: 2026-05-14 20:30 – Updated: 2026-06-09 10:20
VLAI
Summary
electerm's encrypt method not safe enough
Details

Impact

Insecure sync encryption: deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks.

Patches

  • https://github.com/electerm/electerm/commit/9dd8295e37d53396b980cd45dfc5ed11ad79b937

Workarounds

  • No

References

  • Report / credit: https://github.com/Curly-Haired-Baboon
  • Electerm releases: https://github.com/electerm/electerm/releases
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electerm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-329",
      "CWE-353",
      "CWE-759",
      "CWE-916"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:30:04Z",
    "nvd_published_at": "2026-05-28T18:16:35Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n_Insecure sync encryption: deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks._\n\n### Patches\n\n- https://github.com/electerm/electerm/commit/9dd8295e37d53396b980cd45dfc5ed11ad79b937\n\n### Workarounds\n\n- No\n\n### References\n- Report / credit: https://github.com/Curly-Haired-Baboon\n- Electerm releases: https://github.com/electerm/electerm/releases",
  "id": "GHSA-g29v-q6h7-76wh",
  "modified": "2026-06-09T10:20:23Z",
  "published": "2026-05-14T20:30:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electerm/electerm/security/advisories/GHSA-g29v-q6h7-76wh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45787"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electerm/electerm/commit/9dd8295e37d53396b980cd45dfc5ed11ad79b937"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electerm/electerm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electerm/electerm/releases/tag/v3.9.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "electerm\u0027s encrypt method not safe enough"
}

GHSA-GCWW-537W-9VM7

Vulnerability from github – Published: 2026-05-29 21:31 – Updated: 2026-05-29 21:31
VLAI
Details

Danelec MacGregor Voyage Data Recorder passwords are stored with a hashing method which limits password length and is susceptible to brute force attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-29T19:16:24Z",
    "severity": "MODERATE"
  },
  "details": "Danelec MacGregor Voyage Data Recorder\npasswords are stored with a hashing method which limits password length and is susceptible to brute force attacks.",
  "id": "GHSA-gcww-537w-9vm7",
  "modified": "2026-05-29T21:31:21Z",
  "published": "2026-05-29T21:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01"
    },
    {
      "type": "WEB",
      "url": "https://www.danelec.com/contact"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GQJP-R446-FF55

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI
Details

Use of Password Hash with Insufficient Computational Effort vulnerability exists in ClearSCADA (all versions), EcoStruxure Geo SCADA Expert 2019 (all versions), and EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior), which could cause the revealing of account credentials when server database files are available. Exposure of these files to an attacker can make the system vulnerable to password decryption attacks. Note that “.sde” configuration export files do not contain user account password hashes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-26T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Use of Password Hash with Insufficient Computational Effort vulnerability exists in ClearSCADA (all versions), EcoStruxure Geo SCADA Expert 2019 (all versions), and EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior), which could cause the revealing of account credentials when server database files are available. Exposure of these files to an attacker can make the system vulnerable to password decryption attacks. Note that \u201c.sde\u201d configuration export files do not contain user account password hashes.",
  "id": "GHSA-gqjp-r446-ff55",
  "modified": "2022-05-24T22:28:40Z",
  "published": "2022-05-24T22:28:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22741"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-GRG4-P2PX-V4HG

Vulnerability from github – Published: 2024-07-30 15:31 – Updated: 2024-08-23 15:30
VLAI
Details

Weak password hashing using MD5 in funzioni.php in HotelDruid before 1.32 allows an attacker to obtain plaintext passwords from hash values.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T14:15:02Z",
    "severity": "HIGH"
  },
  "details": "Weak password hashing using MD5 in funzioni.php in HotelDruid before 1.32 allows an attacker to obtain plaintext passwords from hash values.",
  "id": "GHSA-grg4-p2px-v4hg",
  "modified": "2024-08-23T15:30:33Z",
  "published": "2024-07-30T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23091"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40cnetsec/security-advisory-cve-2024-23091-weak-password-hashing-using-md5-f18a6fe3a473"
    },
    {
      "type": "WEB",
      "url": "https://www.hoteldruid.com/en/download.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H223-3FMJ-VHG5

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2023-07-10 21:30
VLAI
Details

The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s AUTH_KEY concatenated with the SECURE_AUTH_KEY.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38314"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-02T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Gutenberg Template Library \u0026 Redux Framework plugin \u003c= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of \u0027-redux\u0027 and an md5 hash of the previous hash with a known salt value of \u0027-support\u0027. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site\u0027s PHP version, and an unsalted md5 hash of site\u2019s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.",
  "id": "GHSA-h223-3fmj-vhg5",
  "modified": "2023-07-10T21:30:52Z",
  "published": "2022-05-24T22:28:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38314"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HQR7-C67H-HJRC

Vulnerability from github – Published: 2022-05-20 00:00 – Updated: 2022-06-09 00:00
VLAI
Details

The affected Bachmann Electronic M-Base Controllers of version MSYS v1.06.14 and later use weak cryptography to protect device passwords. Affected controllers that are actively supported include MX207, MX213, MX220, MC206, MC212, MC220, and MH230 hardware controllers, and affected end-of-life controller include MC205, MC210, MH212, ME203, CS200, MP213, MP226, MPC240, MPC265, MPC270, MPC293, MPE270, and CPC210 hardware controllers. Security Level 0 is set at default from the manufacturer, which could allow an unauthenticated remote attacker to gain access to the password hashes. Security Level 4 is susceptible if an authenticated remote attacker or an unauthenticated person with physical access to the device reads and decrypts the password to conduct further attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-19T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The affected Bachmann Electronic M-Base Controllers of version MSYS v1.06.14 and later use weak cryptography to protect device passwords. Affected controllers that are actively supported include MX207, MX213, MX220, MC206, MC212, MC220, and MH230 hardware controllers, and affected end-of-life controller include MC205, MC210, MH212, ME203, CS200, MP213, MP226, MPC240, MPC265, MPC270, MPC293, MPE270, and CPC210 hardware controllers. Security Level 0 is set at default from the manufacturer, which could allow an unauthenticated remote attacker to gain access to the password hashes. Security Level 4 is susceptible if an authenticated remote attacker or an unauthenticated person with physical access to the device reads and decrypts the password to conduct further attacks.",
  "id": "GHSA-hqr7-c67h-hjrc",
  "modified": "2022-06-09T00:00:23Z",
  "published": "2022-05-20T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16231"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-026-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-51
Architecture and Design
  • Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use.
  • Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead.
  • Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.
Mitigation MIT-25
Implementation Architecture and Design

When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

CAPEC-55: Rainbow Table Password Cracking

An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.