php: Password_verify() always return true with some hash

A vulnerability was found in PHP. This security flaw occurs when malformatted BCrypt hashes that include a $ within their salt part trigger a buffer overread and may erroneously validate any password as valid...

SUSE CVE-2024-47182

Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3...

GHSA-W7QR-Q9FH-FJ35 Dozzle uses unsafe hash for passwords

Summary The app uses sha-256 as the hash for passwords. The app should switch to bcrypt. Details SHA-256 is a message digest hash, and not classified as secure for password hashing. Message digest hashes are designed to be fast, while password hashing mechanisms are designed with certain...

Dozzle uses unsafe hash for passwords

Summary The app uses sha-256 as the hash for passwords. The app should switch to bcrypt. Details SHA-256 is a message digest hash, and not classified as secure for password hashing. Message digest hashes are designed to be fast, while password hashing mechanisms are designed with certain...

CVE-2024-47182

Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3...

CVE-2024-47182 Dozzle uses unsafe hash for passwords

Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3...

PT-2024-32464 · Dozzle +1 · Dozzle +1

Name of the Vulnerable Software and Affected Versions: Dozzle versions prior to 8.5.3 Description: The issue concerns the use of an insecure hash for passwords. Specifically, the app uses sha-256, which is susceptible to rainbow table attacks due to its design as a fast message digest hash. This...

ROS-20240806-13

Vulnerability in the implementation of the bcrypt hashing algorithm of the Prometheus system file export library Exporter Toolkit is related to authentication bypass during web.yml file processing. Exploitation of the vulnerability could allow an attacker to bypass security restrictions and gain...

CVE-2024-5213

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login POST /api/request-token and after account creations POST /api/admin/users/new. This exposure occurs because the entire User object,...

CVE-2024-5213

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login POST /api/request-token and after account creations POST /api/admin/users/new. This exposure occurs because the entire User object,...

CVE-2024-5213 Exposure of Sensitive Information in mintplex-labs/anything-llm

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login POST /api/request-token and after account creations POST /api/admin/users/new. This exposure occurs because the entire User object,...

AnythingLLM Security Vulnerability

AnythingLLM is a document chatbot that meets business requirements. A security vulnerability exists in Mintplex Labs AnythingLLM versions 1.5.3 and earlier, which stems from the fact that the entire User object including the bcrypt password hash is included in the response sent to the front-end, ...

PT-2024-35125 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions up to and including 1.5.3 Description: An issue was discovered where the password hash of a user is returned in the response after login "POST /api/request-token" and after account creations "POST...

pam security update

1.3.1-33 - pamnamespace: protectdir: use ODIRECTORY to prevent local DoS situations. CVE-2024-22365. Resolves: RHEL-21242 1.3.1-32 - pamaccess: handle hostnames in access.conf. Resolves: RHEL-3374 1.3.1-31 - pamfaillock: create tallydir before creating tallyfile. Resolves: RHEL-19810 1.3.1-30 -...

CLSA-2024-1714066325 Fix CVE(s): CVE-2024-3096

SECURITY UPDATE: security vulnerability in package - debian/patches/CVE-2024-3096.patch: Disallow null character in bcrypt password to fix bug causing passwordverify to erroneously return true - CVE-2024-3096...

CLSA-2024-1714066065 Fix CVE(s): CVE-2024-3096

SECURITY UPDATE: improper handling of user input vulnerability - debian/patches/CVE-2024-3096.patch: Disallow null character in bcrypt password to prevent passwordverify from erroneously returning true - CVE-2024-3096...

php: Password_verify() always return true with some hash

A vulnerability was found in PHP. This security flaw occurs when malformatted BCrypt hashes that include a $ within their salt part trigger a buffer overread and may erroneously validate any password as valid...

CVE-2017-7252

bcrypt password hashing in Botan before 2.1.0 does not correctly handle passwords with a length between 57 and 72 characters, which makes it easier for attackers to determine the cleartext password...

CVE-2017-7252

Removed by vendor...

php: Password_verify() always return true with some hash

A vulnerability was found in PHP. This security flaw occurs when malformatted BCrypt hashes that include a $ within their salt part trigger a buffer overread and may erroneously validate any password as valid...