Lucene search

GoogleOSV:CVE-2022-37163

HistorySep 08, 2022 - 4:15 p.m.

CVE-2022-37163

2022-09-0816:15:08

Google

osv.dev

bminusl ihatetobudget

weak password policy

brute-force attacks

unsecured hashing

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

EPSS

0.002

Percentile

59.6%

JSON

Bminusl IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.

References

gainsec.com/2022/08/07/cve-2022-hardcoded-creds-weak-password-hauk-android-location-sharing/

github.com/bminusl/ihatetobudget/issues/24

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

EPSS

0.002

Percentile

59.6%

JSON

Related for OSV:CVE-2022-37163