CVE-2024-47182
published 2024-09-27CVE-2024-47182: Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to…
PriorityP336high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.21%
10.6th percentile
Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| amir20 | dozzle | < 8.5.3 | 8.5.3 |
| amirraminfar | dozzle | < 8.5.3 | 8.5.3 |
| github.com | amir20_dozzle | >= 0 < 8.5.3 | 8.5.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Dozzle uses unsafe hash for passwords
ghsa·2024-10-09
CVE-2024-47182 [LOW] CWE-326 Dozzle uses unsafe hash for passwords
Dozzle uses unsafe hash for passwords
### Summary
The app uses sha-256 as the hash for passwords. The app should switch to bcrypt.
### Details
SHA-256 is a message digest hash, and not classified as secure for password hashing. Message digest hashes are designed to be fast, while password hashing mechanisms are designed with certain cryptographic properties (e.g. slow) to protect against vulnerabilities. Refer to the links below for more information:
- https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords
- https://stackoverflow.com/questions/11624372/best-practice-for-hashing-passwords-sha256-or-sha512
- https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwords-with-bcrypt
### PoC
N/A
### Impact
It leaves
OSV
Dozzle uses unsafe hash for passwords
osv·2024-10-09
CVE-2024-47182 [LOW] Dozzle uses unsafe hash for passwords
Dozzle uses unsafe hash for passwords
### Summary
The app uses sha-256 as the hash for passwords. The app should switch to bcrypt.
### Details
SHA-256 is a message digest hash, and not classified as secure for password hashing. Message digest hashes are designed to be fast, while password hashing mechanisms are designed with certain cryptographic properties (e.g. slow) to protect against vulnerabilities. Refer to the links below for more information:
- https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords
- https://stackoverflow.com/questions/11624372/best-practice-for-hashing-passwords-sha256-or-sha512
- https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwords-with-bcrypt
### PoC
N/A
### Impact
It leaves
OSV
Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle
osv·2024-10-09
CVE-2024-47182 Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle
Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle
Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/amir20/dozzle before v8.5.3.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-09-27
Published