An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. For…
mitre·CWE-916·Published 2017-08-01
An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. For authentication, the user password is hashed directly with SHA-512 without a salt or another key-derivation mechanism to enable a secure secret for authentication. Moreover, only the first 32 bytes of the hash are used. This allows for easy dictionary and rainbow-table attacks if an attacker has access to the password hash.
An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. For authentication, the user password is hashed directly with SHA-512 without a salt or another key-derivation mechanism to enable a secure secret for authentication. Moreover, only the first 32 bytes of the hash are used. This allows for easy dictionary and rainbow-table attacks if an attacker has access to the password hash.
Se ha descubierto un error en la versión 1.7.5 de heinekingmedia StashCat para Android, en la versión 0.0.80w para web, y 0.0.86 para ordenador. Para la autenticación, la contraseña del usuario se crea con un hash SHA-512 sin sal ni ningún otro mecanismo de derivación de clave para establecer un secreto seguro. Además, solo se utilizan los 32 primeros bytes del hash. Esto facilita los ataques de diccionario y de tablas rainbow si un atacante tiene acceso al hash de la contraseña.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 4.3 | 8.6 | 2.9 | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| 3.0 | Primary | NVD | 5.9 | 2.2 | 3.6 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |