CVEbaza.plSłownik CWECWE-916
Common Weakness Enumeration

CWE-916

Use of Password Hash With Insufficient Computational Effort

Kategoria: BaseCVE: 140
Opis

Produkt generuje skrót hasła, jednak używa schematu, który nie zapewnia wystarczającego poziomu wysiłku obliczeniowego, aby ataki na łamanie haseł były niemożliwe lub kosztowne. To narażenie umożliwia atakującym na szybkie odgadnięcie haseł poprzez brute-force lub ataki słownikowe.

Description (EN)

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Podatności CVE z CWE-916 (140)
10.0
CVSS
CRITICAL
CVE-2020-14516

In Rockwell Automation FactoryTalk Services Platform Versions 6.10.00 and 6.11.00, there is an issue with the implementation of the SHA-256 hashing algorithm with FactoryTalk Services Platform that prevents the user password from being hashed properly.

pub. 2021-03-18
9.8
CVSS
CRITICAL
CVE-2024-5743

Podatność w urządzeniu EveHome Eve Play (do wersji 1.1.42) wynika z zastosowania algorytmu hashowania haseł o niewystarczającej złożoności obliczeniowej. Błąd jest krytyczny, ponieważ umożliwia zdalnemu atakującemu wykonanie dowolnego kodu bez uwierzytelnienia.

pub. 2025-01-13
9.8
CVSS
CRITICAL
CVE-2022-37163

Bminusl IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.

pub. 2022-09-08
9.8
CVSS
CRITICAL
CVE-2022-37164

Inoda OnTrack v3.4 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.

pub. 2022-09-08
9.8
CVSS
CRITICAL
CVE-2021-36767

In Digi RealPort through 4.10.490, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to the server. The server will reply with a weakly-hashed version of the server's access password. The attacker may then crack this hash offline in order to successfully login to the server.

pub. 2021-10-08
9.8
CVSS
CRITICAL
CVE-2021-32519

Use of password hash with insufficient computational effort vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to recover the plain-text password by brute-forcing the MD5 hash. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.2, QSAN XEVO v2.1.0, and QSAN SANOS v2.1.0.

pub. 2021-07-07
9.8
CVSS
CRITICAL
CVE-2019-17216

An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. Password authentication uses MD5 to hash passwords. Cracking is possible with minimal effort.

pub. 2019-10-06
9.8
CVSS
CRITICAL
CVE-2019-6563

Moxa IKS and EDS generate a predictable cookie calculated with an MD5 hash, allowing an attacker to capture the administrator's password, which could lead to a full compromise of the device.

pub. 2019-03-05
9.8
CVSS
CRITICAL
CVE-2018-15680

An issue was discovered in BTITeam XBTIT 2.5.4. The hashed passwords stored in the xbtit_users table are stored as unsalted MD5 hashes, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack.

pub. 2018-09-05
9.8
CVSS
CRITICAL
CVE-2018-15681

An issue was discovered in BTITeam XBTIT 2.5.4. When a user logs in, their password hash is rehashed using a predictable salt and stored in the "pass" cookie, which is not flagged as HTTPOnly. Due to the weak and predictable salt that is in place, an attacker who successfully steals this cookie can efficiently brute-force it to retrieve the user's cleartext password.

pub. 2018-09-05
9.8
CVSS
CRITICAL
CVE-2018-10618

Davolink DVW-3200N all version prior to Version 1.00.06. The device generates a weak password hash that is easily cracked, allowing a remote attacker to obtain the password for the device.

pub. 2018-08-01
9.8
CVSS
CRITICAL
CVE-2005-0408

CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of the user name for the id_hash cookie, which allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in the $hidden_hash variable.

pub. 2005-02-14
9.8
CVSS
CRITICAL
CVE-2001-0967

Knox Arkeia server 4.2, and possibly other versions, uses a constant salt when encrypting passwords using the crypt() function, which makes it easier for an attacker to conduct brute force password guessing.

pub. 2001-08-31
9.1
CVSS
CRITICAL
CVE-2023-46133

CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 2.1.0 contains a patch for this issue. As a workaround, configure CryptoES to use SHA256 with at least 250,000 iterations.

pub. 2023-10-25
9.1
CVSS
CRITICAL
CVE-2023-46233

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.

pub. 2023-10-25
9.1
CVSS
CRITICAL
CVE-2019-19735

class.userpeer.php in MFScripts YetiShare 3.5.2 through 4.5.3 uses an insecure method of creating password reset hashes (based only on microtime), which allows an attacker to guess the hash and set the password within a few hours by bruteforcing.

pub. 2019-12-30
8.7
CVSS
HIGH
CVE-2026-55069

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation speed to recover the administrator password offline. In Kubernetes deployments, a successful crack further enables reading of the cluster ServiceAccount Token and all K8s Secrets, achieving vertical privilege escalation. This vulnerability is fixed in 1.3.24.

pub. 2026-06-26
8.3
CVSS
HIGH
CVE-2023-5846

Franklin Fueling System TS-550 versions prior to 1.9.23.8960 are vulnerable to attackers decoding admin credentials, resulting in unauthenticated access to the device.

pub. 2023-11-02
8.3
CVSS
HIGH
CVE-2022-36071

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from version 2.2.0 to 2.3.3 recovery codes can be generated before enabling two-factor authentication. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it.

pub. 2022-09-02
8.2
CVSS
HIGH
CVE-2026-25861

QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.

pub. 2026-06-02
Pokazano 20 z 140 podatności
Informacje
ID: CWE-916
Typ: Base
Podatności: 140
MITRE CWE ↗
← Słownik CWE
CWE-916 — Użycie skrótu hasła z niewystarczającym wysiłkiem obliczeniowym | Słownik CWE | CVEbaza.pl