CVE-2023-33243

Exploit

EPSS 12.31%
Veröffentlicht 15.06.2023 20:15:09
Zuletzt bearbeitet 12.12.2024 22:15:07
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Starface ≫ Starface Version <= 7.3.0.10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	12.31%	0.936

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-916 Use of Password Hash With Insufficient Computational Effort

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses

Third Party Advisory

https://www.redteam-pentesting.de/en/advisories/rt-sa-2022-004/-starface-authentication-with-password-hash-possible

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-33243

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-33243

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-33243

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-33243