Search criteria

2 vulnerabilities found for Actualizer by ChewKeanHo

CVE-2025-47276 (GCVE-0-2025-47276)

Vulnerability from cvelistv5 – Published: 2025-05-13 15:34 – Updated: 2025-05-13 19:31
VLAI?
Title
Actualizer Uses OpenSSL's "-passwd" Function Which Uses SHA512 Under The Hood Instead of Proper Password Hasher like Yescript/Argon2i
Summary
Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL's "-passwd" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accounts. The change will deploy's Debian's yescript overriding the older SHA512 hash created by OpenSSL. As a workaround, users need to reset both `root` and "Alpha" users' passwords.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
ChewKeanHo Actualizer Affected: < 1.2.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47276",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-13T19:31:14.270803Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-13T19:31:22.672Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Actualizer",
          "vendor": "ChewKeanHo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL\u0027s  \"-passwd\" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accounts. The change will deploy\u0027s Debian\u0027s yescript overriding the older SHA512 hash created by OpenSSL. As a workaround, users need to reset both `root` and \"Alpha\" users\u0027 passwords."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-328",
              "description": "CWE-328: Use of Weak Hash",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-13T15:34:28.801Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ChewKeanHo/Actualizer/security/advisories/GHSA-v626-chv9-v9qr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ChewKeanHo/Actualizer/security/advisories/GHSA-v626-chv9-v9qr"
        },
        {
          "name": "https://github.com/ChewKeanHo/Actualizer/issues/1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ChewKeanHo/Actualizer/issues/1"
        },
        {
          "name": "https://github.com/openssl/openssl/issues/19340",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openssl/openssl/issues/19340"
        },
        {
          "name": "https://github.com/ChewKeanHo/Actualizer/commit/32c9cc232c856f078f8269fba80ce7562bbff86b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ChewKeanHo/Actualizer/commit/32c9cc232c856f078f8269fba80ce7562bbff86b"
        },
        {
          "name": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
        },
        {
          "name": "https://github.com/ChewKeanHo/Actualizer/releases/tag/v1.2.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ChewKeanHo/Actualizer/releases/tag/v1.2.0"
        },
        {
          "name": "https://www.reddit.com/r/debian/comments/1kknzqi/actualizer_v110_upgraded",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.reddit.com/r/debian/comments/1kknzqi/actualizer_v110_upgraded"
        }
      ],
      "source": {
        "advisory": "GHSA-v626-chv9-v9qr",
        "discovery": "UNKNOWN"
      },
      "title": "Actualizer Uses OpenSSL\u0027s  \"-passwd\" Function Which Uses SHA512 Under The Hood Instead of Proper Password Hasher like Yescript/Argon2i"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-47276",
    "datePublished": "2025-05-13T15:34:28.801Z",
    "dateReserved": "2025-05-05T16:53:10.372Z",
    "dateUpdated": "2025-05-13T19:31:22.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-47276 (GCVE-0-2025-47276)

Vulnerability from nvd – Published: 2025-05-13 15:34 – Updated: 2025-05-13 19:31
VLAI?
Title
Actualizer Uses OpenSSL's "-passwd" Function Which Uses SHA512 Under The Hood Instead of Proper Password Hasher like Yescript/Argon2i
Summary
Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL's "-passwd" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accounts. The change will deploy's Debian's yescript overriding the older SHA512 hash created by OpenSSL. As a workaround, users need to reset both `root` and "Alpha" users' passwords.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
ChewKeanHo Actualizer Affected: < 1.2.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47276",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-13T19:31:14.270803Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-13T19:31:22.672Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Actualizer",
          "vendor": "ChewKeanHo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL\u0027s  \"-passwd\" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accounts. The change will deploy\u0027s Debian\u0027s yescript overriding the older SHA512 hash created by OpenSSL. As a workaround, users need to reset both `root` and \"Alpha\" users\u0027 passwords."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-328",
              "description": "CWE-328: Use of Weak Hash",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-13T15:34:28.801Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ChewKeanHo/Actualizer/security/advisories/GHSA-v626-chv9-v9qr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ChewKeanHo/Actualizer/security/advisories/GHSA-v626-chv9-v9qr"
        },
        {
          "name": "https://github.com/ChewKeanHo/Actualizer/issues/1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ChewKeanHo/Actualizer/issues/1"
        },
        {
          "name": "https://github.com/openssl/openssl/issues/19340",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openssl/openssl/issues/19340"
        },
        {
          "name": "https://github.com/ChewKeanHo/Actualizer/commit/32c9cc232c856f078f8269fba80ce7562bbff86b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ChewKeanHo/Actualizer/commit/32c9cc232c856f078f8269fba80ce7562bbff86b"
        },
        {
          "name": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
        },
        {
          "name": "https://github.com/ChewKeanHo/Actualizer/releases/tag/v1.2.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ChewKeanHo/Actualizer/releases/tag/v1.2.0"
        },
        {
          "name": "https://www.reddit.com/r/debian/comments/1kknzqi/actualizer_v110_upgraded",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.reddit.com/r/debian/comments/1kknzqi/actualizer_v110_upgraded"
        }
      ],
      "source": {
        "advisory": "GHSA-v626-chv9-v9qr",
        "discovery": "UNKNOWN"
      },
      "title": "Actualizer Uses OpenSSL\u0027s  \"-passwd\" Function Which Uses SHA512 Under The Hood Instead of Proper Password Hasher like Yescript/Argon2i"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-47276",
    "datePublished": "2025-05-13T15:34:28.801Z",
    "dateReserved": "2025-05-05T16:53:10.372Z",
    "dateUpdated": "2025-05-13T19:31:22.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}