CVE-2023-27580

EPSS 0.13%
Veröffentlicht 13.03.2023 18:15:12
Zuletzt bearbeitet 21.11.2024 07:53:11
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process. All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the vulnerability. Therefore, they should be removed as soon as possible. If an attacker gets (1) the user's hashed password by Shield, and (2) the hashed password (SHA-384 hash without salt) from somewhere, the attacker may easily crack the user's password. Upgrade to Shield v1.0.0-beta.4 or later to fix this issue. After upgrading, all users’ hashed passwords should be updated (saved to the database). There are no known workarounds.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Codeigniter ≫ Shield Version1.0.0 Updatebeta

Codeigniter ≫ Shield Version1.0.0 Updatebeta2

Codeigniter ≫ Shield Version1.0.0 Updatebeta3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.327

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-916 Use of Password Hash With Insufficient Computational Effort

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

https://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html

Third Party Advisory

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwords

Not Applicable

https://github.com/codeigniter4/shield/blob/develop/UPGRADING.md

Vendor Advisory

https://github.com/codeigniter4/shield/commit/ea9688dd01d100193d834117dbfc2cfabcf9ea0b

Patch

https://github.com/codeigniter4/shield/security/advisories/GHSA-c5vj-f36q-p9vg

Vendor Advisory

https://www.scottbrady91.com/authentication/beware-of-password-shucking

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-27580

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-27580

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-27580

EUVD