CVE-2021-21253 - OpenCVE

Vendors	Products
Onlinevotingsystem Project	Onlinevotingsystem

Link	Resource
https://github.com/dbijaya/OnlineVotingSystem/commit/0181cb0272857696c8eb3e44fcf6cb014ff90f09	Patch Third Party Advisory
https://github.com/dbijaya/OnlineVotingSystem/security/advisories/GHSA-wwg8-372v-v332	Third Party Advisory

{"containers": {"cna": {"affected": [{"product": "OnlineVotingSystem", "vendor": "dbijaya", "versions": [{"status": "affected", "version": "< 1.1.2"}]}], "descriptions": [{"lang": "en", "value": "OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables to crack passwords. This problem is fixed and published in version 1.1.2. A long randomly generated salt is added to the password hash function to better protect passwords stored in the voting system."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-759", "description": "CWE-759 Use of a One-Way Hash without a Salt", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-21T14:20:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dbijaya/OnlineVotingSystem/security/advisories/GHSA-wwg8-372v-v332"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/dbijaya/OnlineVotingSystem/commit/0181cb0272857696c8eb3e44fcf6cb014ff90f09"}], "source": {"advisory": "GHSA-wwg8-372v-v332", "discovery": "UNKNOWN"}, "title": "Use of a One-Way Hash without a Salt in OnlineVotingSystem", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21253", "STATE": "PUBLIC", "TITLE": "Use of a One-Way Hash without a Salt in OnlineVotingSystem"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OnlineVotingSystem", "version": {"version_data": [{"version_value": "< 1.1.2"}]}}]}, "vendor_name": "dbijaya"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables to crack passwords. This problem is fixed and published in version 1.1.2. A long randomly generated salt is added to the password hash function to better protect passwords stored in the voting system."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-759 Use of a One-Way Hash without a Salt"}]}]}, "references": {"reference_data": [{"name": "https://github.com/dbijaya/OnlineVotingSystem/security/advisories/GHSA-wwg8-372v-v332", "refsource": "CONFIRM", "url": "https://github.com/dbijaya/OnlineVotingSystem/security/advisories/GHSA-wwg8-372v-v332"}, {"name": "https://github.com/dbijaya/OnlineVotingSystem/commit/0181cb0272857696c8eb3e44fcf6cb014ff90f09", "refsource": "MISC", "url": "https://github.com/dbijaya/OnlineVotingSystem/commit/0181cb0272857696c8eb3e44fcf6cb014ff90f09"}]}, "source": {"advisory": "GHSA-wwg8-372v-v332", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21253", "datePublished": "2021-01-21T14:20:16", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2021-01-21T14:20:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:onlinevotingsystem_project:onlinevotingsystem:*:*:*:*:*:*:*:*", "matchCriteriaId": "9512C3B9-84DD-4E95-8091-B4C18719D719", "versionEndExcluding": "1.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables to crack passwords. This problem is fixed and published in version 1.1.2. A long randomly generated salt is added to the password hash function to better protect passwords stored in the voting system."}, {"lang": "es", "value": "OnlineVotingSystem es un proyecto de c\u00f3digo abierto alojado en GitHub. OnlineVotingSystem anterior a versi\u00f3n 1.1.2, aplica un hash a las contrase\u00f1as de los usuarios sin sal, lo que es vulnerable a ataques de diccionario. Por lo tanto, se presenta una amenaza de violaci\u00f3n de seguridad en el sistema de votaci\u00f3n. Sin una sal, es mucho m\u00e1s f\u00e1cil para los atacantes calcular previamente el valor hash usando t\u00e9cnicas de ataque de diccionario como tablas rainbow para descifrar contrase\u00f1as. Este problema est\u00e1 corregido y publicado en la versi\u00f3n 1.1.2. Se agrega una sal generada aleatoriamente a la funci\u00f3n password hash para proteger mejor las contrase\u00f1as almacenadas en el sistema de votaci\u00f3n"}], "id": "CVE-2021-21253", "lastModified": "2022-10-24T20:58:09.827", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-01-21T15:15:14.580", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dbijaya/OnlineVotingSystem/commit/0181cb0272857696c8eb3e44fcf6cb014ff90f09"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/dbijaya/OnlineVotingSystem/security/advisories/GHSA-wwg8-372v-v332"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-916"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-759"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

JSON object

JSON object

JSON object