إرسال #383217: Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-759: Use of a One-Way Hash without a Saltالمعلومات

عنوان	Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-759: Use of a One-Way Hash without a Salt
الوصف	NOTE - This submit shall be embargoed until 14:00 CET on 2024-08-01 - NOTE CVE-2024-38881: An issue in Horizon Business Services Inc. Caterease Software allows a remote attacker to perform a Rainbow Table Password cracking attack due to the use of one-way hashes without salts when storing user passwords. Vulnerability Type: CWE-759: Use of a One-Way Hash without a Salt Vendor of the Product: Horizon Business Services Inc. Affected Product: Caterease Software Affected Versions: 16.0.1.1663 through 24.0.1.2405 Attack Vector: Remote Attack Type: CAPEC-55: Rainbow Table Password Cracking Vulnerability Summary: Caterease Software stores user password hashes without salts, making them vulnerable to rainbow table attacks. This vulnerability arises because the application fails to use a cryptographic salt when hashing passwords, a critical security measure designed to protect against precomputed hash attacks. An attacker can exploit this vulnerability by precomputing hash values for a wide range of possible passwords and then comparing them to the stored hashes. Once a match is found, the original password can be recovered, leading to unauthorized access to user accounts. The exposure of unsalted hashes not only compromises the security of the Caterease Software accounts but also facilitates further attacks, such as credential stuffing on other systems where users may have reused passwords. The lack of salting significantly compromises user account confidentiality and can result in privilege escalation, where an attacker gains access to higher-privilege accounts. CVSS Base Score: Medium Risk - 6.5 CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Exploitability Metrics Attack Vector (AV): Adjacent Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Impact Metrics Confidentiality (C): High Integrity (I): None Availability (A): None
المستخدم	jTag Labs (UID 51246)
ارسال	30/07/2024 04:51 PM (2 سنوات منذ)
الاعتدال	01/08/2024 02:14 PM (2 days later)
الحالة	تمت الموافقة
إدخال VulDB	273365 [Horizon Business Services Caterease حتى 24.0.1.2405 User Password تشفير ضعيف]
النقاط	17

التالي ▸نظرة عامة ◂ السابق

Might our Artificial Intelligence support you?

Check our Alexa App!