Lucene search

[email protected]CVE-2023-33243

HistoryJun 15, 2023 - 8:15 p.m.

CVE-2023-33243

2023-06-1520:15:09

CWE-916

[email protected]

web.nvd.nist.gov

starface

web interface

rest api

authentication

sha512

password hash

security vulnerability

nvd

cve-2023-33243

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

0.028 Low

EPSS

Percentile

90.6%

JSON

RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application’s database generally has become best practice to protect users’ passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.

Affected configurations

NVD

Node

starfacestarfaceRange≤7.3.0.10

CPENameOperatorVersion
starface:starfacestarfacele7.3.0.10

CPE	Name	Operator	Version
starface:starface	starface	le	7.3.0.10

References

www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses

www.redteam-pentesting.de/en/advisories/rt-sa-2022-004/-starface-authentication-with-password-hash-possible

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

0.028 Low

EPSS

Percentile

90.6%

JSON

Related for CVE-2023-33243

prion1 cvelist1 githubexploit1 packetstorm1 zdt1 nvd1 exploitdb1