제출 #383217: Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-759: Use of a One-Way Hash without a Salt정보

제목	Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-759: Use of a One-Way Hash without a Salt
설명	NOTE - This submit shall be embargoed until 14:00 CET on 2024-08-01 - NOTE CVE-2024-38881: An issue in Horizon Business Services Inc. Caterease Software allows a remote attacker to perform a Rainbow Table Password cracking attack due to the use of one-way hashes without salts when storing user passwords. Vulnerability Type: CWE-759: Use of a One-Way Hash without a Salt Vendor of the Product: Horizon Business Services Inc. Affected Product: Caterease Software Affected Versions: 16.0.1.1663 through 24.0.1.2405 Attack Vector: Remote Attack Type: CAPEC-55: Rainbow Table Password Cracking Vulnerability Summary: Caterease Software stores user password hashes without salts, making them vulnerable to rainbow table attacks. This vulnerability arises because the application fails to use a cryptographic salt when hashing passwords, a critical security measure designed to protect against precomputed hash attacks. An attacker can exploit this vulnerability by precomputing hash values for a wide range of possible passwords and then comparing them to the stored hashes. Once a match is found, the original password can be recovered, leading to unauthorized access to user accounts. The exposure of unsalted hashes not only compromises the security of the Caterease Software accounts but also facilitates further attacks, such as credential stuffing on other systems where users may have reused passwords. The lack of salting significantly compromises user account confidentiality and can result in privilege escalation, where an attacker gains access to higher-privilege accounts. CVSS Base Score: Medium Risk - 6.5 CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Exploitability Metrics Attack Vector (AV): Adjacent Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Impact Metrics Confidentiality (C): High Integrity (I): None Availability (A): None
사용자	jTag Labs (UID 51246)
제출	2024. 07. 30. PM 04:51 (2 연령 ago)
모더레이션	2024. 08. 01. PM 02:14 (2 days later)
상태	수락
VulDB 항목	273365 [Horizon Business Services Caterease 까지 24.0.1.2405 User Password 약한 암호화]
포인트들	17

◂ 이전 개요 다음 ▸

Do you need the next level of professionalism?

Upgrade your account now!