CVE-2024-47182

EPSS 0.08%
Veröffentlicht 27.09.2024 14:15:04
Zuletzt bearbeitet 04.10.2024 18:31:29
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Amirraminfar ≫ Dozzle SwPlatformdocker Version < 8.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.231

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

CWE-328 Use of Weak Hash

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

https://github.com/amir20/dozzle/commit/de79f03aa3dbe5bb1e154a7e8d3dccbd229f3ea3

Patch

https://github.com/amir20/dozzle/security/advisories/GHSA-w7qr-q9fh-fj35

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-47182

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-47182

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-47182

EUVD