// For flags

CVE-2019-25030

 

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as "rainbow tables") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible.

En Versa Director, Versa Analytics y VOS, las contraseñas son procesadas usando una función hash criptográfica adaptativa o una función de derivation de clave antes del almacenamiento. Los algoritmos de hash populares basados ??en la construcción Merkle-Damgard (como MD5 y SHA-1) por sí solos son insuficientes para frustrar el descifrado de contraseñas. Unos atacantes pueden generar y utilizar hashes precalculados para todas las combinaciones posibles de caracteres de contraseña (comúnmente denominadas "rainbow tables") con relativa rapidez. El uso de algoritmos de hash adaptativos, como las funciones de derivación de claves de cifrado y cifrado (es decir, PBKDF2) para cifrar contraseñas, hace que la generación de tales rainbow tables sea computacionalmente inviable

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-04-23 CVE Reserved
  • 2021-05-26 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-522: Insufficiently Protected Credentials
CAPEC
References (1)
URL Tag Source
https://hackerone.com/reports/1168197 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Versa-networks
Search vendor "Versa-networks"
 Versa Analytics
Search vendor "Versa-networks" for product "Versa Analytics"
--
Affected
Versa-networks
Search vendor "Versa-networks"
 Versa Director
Search vendor "Versa-networks" for product "Versa Director"
--
Affected
Versa-networks
Search vendor "Versa-networks"
 Versa Operating System
Search vendor "Versa-networks" for product "Versa Operating System"
--
Affected