CVE-2024-24553
Bludit uses SHA1 as Password Hashing Algorithm
Severity Score
5.9
*CVSS v4
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
Bludit uses the SHA-1 hashing algorithm to compute password hashes. Thus, attackers could determine cleartext passwords with brute-force attacks due to the inherent speed of SHA-1. In addition, the salt that is computed by Bludit is generated with a non-cryptographically secure function.
Bludit utiliza el algoritmo hash SHA-1 para calcular hashes de contraseñas. Por lo tanto, los atacantes podrían determinar contraseñas de texto sin cifrar con ataques de fuerza bruta debido a la velocidad inherente de SHA-1. Además, la sal que calcula Bludit se genera con una función no criptográficamente segura.
*Credits:
Andreas Pfefferle, Redguard AG
CVSS Scores
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-01-25 CVE Reserved
- 2024-06-24 CVE Published
- 2024-06-24 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-916: Use of Password Hash With Insufficient Computational Effort
CAPEC
- CAPEC-16: Dictionary-based Password Attack
- CAPEC-20: Encryption Brute Forcing
- CAPEC-49: Password Brute Forcing
References (1)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|