Common Weakness Enumeration

CWE-916

Allowed

Use of Password Hash With Insufficient Computational Effort

Abstraction: Base · Status: Incomplete

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

162 vulnerabilities reference this CWE, most recent first.

GHSA-22VF-QC4P-VC3X

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17
VLAI
Details

In Digi RealPort through 4.8.488.0, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to the server. The server will reply with a weakly-hashed version of the server's access password. The attacker may then crack this hash offline in order to successfully login to the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-08T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Digi RealPort through 4.8.488.0, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to the server. The server will reply with a weakly-hashed version of the server\u0027s access password. The attacker may then crack this hash offline in order to successfully login to the server.",
  "id": "GHSA-22vf-qc4p-vc3x",
  "modified": "2022-05-24T19:17:03Z",
  "published": "2022-05-24T19:17:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36767"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-02.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25QJ-GFR4-9MHJ

Vulnerability from github – Published: 2022-05-01 06:45 – Updated: 2024-02-09 03:32
VLAI
Details

BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-1058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-04-04T10:04:00Z",
    "severity": "LOW"
  },
  "details": "BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.",
  "id": "GHSA-25qj-gfr4-9mhj",
  "modified": "2024-02-09T03:32:52Z",
  "published": "2022-05-01T06:45:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-1058"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25569"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9483"
    },
    {
      "type": "WEB",
      "url": "http://bugs.busybox.net/view.php?id=604"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/19477"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/25098"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/25848"
    },
    {
      "type": "WEB",
      "url": "http://support.avaya.com/elmodocs2/security/ASA-2007-250.htm"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2007-0244.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/17330"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-265M-MR24-FCWV

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-08-31 00:00
VLAI
Details

The user and password data base is exposed by an unprotected web server resource. Passwords are hashed with a weak hashing algorithm and therefore allow an attacker to determine the password by using rainbow tables.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-23855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-04T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The user and password data base is exposed by an unprotected web server resource. Passwords are hashed with a weak hashing algorithm and therefore allow an attacker to determine the password by using rainbow tables.",
  "id": "GHSA-265m-mr24-fcwv",
  "modified": "2022-08-31T00:00:21Z",
  "published": "2022-05-24T19:16:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23855"
    },
    {
      "type": "WEB",
      "url": "https://psirt.bosch.com/security-advisories/bosch-sa-741752.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-26J2-2WP8-H95H

Vulnerability from github – Published: 2022-12-26 21:30 – Updated: 2024-10-03 21:31
VLAI
Details

In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), the password-hashing feature requires insufficient computational effort.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-26T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), the password-hashing feature requires insufficient computational effort.",
  "id": "GHSA-26j2-2wp8-h95h",
  "modified": "2024-10-03T21:31:02Z",
  "published": "2022-12-26T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12069"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2021-061"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2022-022"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2022-031"
    },
    {
      "type": "WEB",
      "url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=12943\u0026token=d097958a67ba382de688916f77e3013c0802fade\u0026download="
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-275F-JQ4P-WXGW

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2026-07-05 00:31
VLAI
Details

Fluxbb 1.5.11 is affected by a denial of service (DoS) vulnerability by sending an extremely long password via the user login form. When a long password is sent, the password hashing process will result in CPU and memory exhaustion on the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-17T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Fluxbb 1.5.11 is affected by a denial of service (DoS) vulnerability by sending an extremely long password via the user login form. When a long password is sent, the password hashing process will result in CPU and memory exhaustion on the server.",
  "id": "GHSA-275f-jq4p-wxgw",
  "modified": "2026-07-05T00:31:17Z",
  "published": "2022-05-24T17:44:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28873"
    },
    {
      "type": "WEB",
      "url": "https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/#:~:text=By%20sending%20a%20very%20long%2Ca%20vulnerable%20password%20hashing%20implementation"
    },
    {
      "type": "WEB",
      "url": "https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/#:~:text=By%20sending%20a%20very%20long,a%20vulnerable%20password%20hashing%20implementation"
    },
    {
      "type": "WEB",
      "url": "http://fluxbb.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GV7-CC99-M2PR

Vulnerability from github – Published: 2025-01-29 03:31 – Updated: 2025-01-29 03:31
VLAI
Details

IBM Security Verify Governance 10.0.2 Identity Manager

uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-759",
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-29T02:15:26Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Verify Governance 10.0.2 Identity Manager \n\nuses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.",
  "id": "GHSA-2gv7-cc99-m2pr",
  "modified": "2025-01-29T03:31:48Z",
  "published": "2025-01-29T03:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33838"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7172200"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2Q8J-P5MW-6MF5

Vulnerability from github – Published: 2025-12-16 21:30 – Updated: 2025-12-16 21:30
VLAI
Details

Insecure defaults in the Server Agent component of Fortra's Core Privileged Access Manager (BoKS) can result in the selection of weak password hash algorithms.  This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T20:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Insecure defaults in the Server Agent component of Fortra\u0027s Core Privileged Access Manager (BoKS) can result in the selection of weak password hash algorithms. \u00a0This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain.",
  "id": "GHSA-2q8j-p5mw-6mf5",
  "modified": "2025-12-16T21:30:55Z",
  "published": "2025-12-16T21:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13532"
    },
    {
      "type": "WEB",
      "url": "https://www.fortra.com/security/advisories/product-security/fi-2025-014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32FF-4G79-VGFC

Vulnerability from github – Published: 2022-07-29 22:28 – Updated: 2025-03-07 19:09
VLAI
Summary
Flask-AppBuilder before v4.1.3 allows inference of sensitive information through query strings
Details

Impact

An authenticated Admin user could craft HTTP requests to filter users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users.

Only when using AUTH_DB database authentication option.

Patches

Fixed on 4.1.3

For more information

If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Flask-AppBuilder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-916"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-29T22:28:12Z",
    "nvd_published_at": "2022-08-01T19:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nAn authenticated Admin user could craft HTTP requests to filter users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users.\n\nOnly when using `AUTH_DB` database authentication option.\n\n### Patches\nFixed on 4.1.3\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)",
  "id": "GHSA-32ff-4g79-vgfc",
  "modified": "2025-03-07T19:09:38Z",
  "published": "2022-07-29T22:28:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-32ff-4g79-vgfc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31177"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.1.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-247.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flask-AppBuilder before v4.1.3 allows inference of sensitive information through query strings"
}

GHSA-335Q-V5R7-XQ5P

Vulnerability from github – Published: 2023-02-16 21:30 – Updated: 2023-02-25 00:30
VLAI
Details

A use of password hash with insufficient computational effort vulnerability [CWE-916] in FortiSandbox before 4.2.0 may allow an attacker with access to the password database to efficiently mount bulk guessing attacks to recover the passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-16T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A use of password hash with insufficient computational effort vulnerability [CWE-916] in FortiSandbox before 4.2.0 may allow an attacker with access to the password database to efficiently mount bulk guessing attacks to recover the passwords.",
  "id": "GHSA-335q-v5r7-xq5p",
  "modified": "2023-02-25T00:30:46Z",
  "published": "2023-02-16T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26115"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-20-220"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-35M5-8CVJ-8783

Vulnerability from github – Published: 2021-11-10 16:28 – Updated: 2024-09-20 16:50
VLAI
Summary
Improper hashing in enrocrypt
Details

Impact

The vulnerability is we used MD5 hashing Algorithm In our hashing file. If anyone who is a beginner(and doesn't know about hashes) can face problems as MD5 is considered a Insecure Hashing Algorithm.

Patches

The vulnerability is patched in v1.1.4 of the product, the users can upgrade to version 1.1.4.

Workarounds

If u specifically want a version and don't want to upgrade, you can remove the MD5 hashing function from the file hashing.py and this vulnerability will be gone

References

https://www.cybersecurity-help.cz/vdb/cwe/916/ https://www.cybersecurity-help.cz/vdb/cwe/327/ https://www.cybersecurity-help.cz/vdb/cwe/328/ https://www.section.io/engineering-education/what-is-md5/ https://www.johndcook.com/blog/2019/01/24/reversing-an-md5-hash/

For more information

If you have any questions or comments about this advisory: * Open an issue in Enrocrypt's Official Repo * Create a Discussion in Enrocrypt's Official Repo

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "enrocrypt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39182"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-327",
      "CWE-328",
      "CWE-916"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-08T18:58:04Z",
    "nvd_published_at": "2021-11-08T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe vulnerability is we used MD5 hashing Algorithm In our hashing file. If anyone who is a beginner(and doesn\u0027t know about hashes)  can face problems as MD5 is considered a Insecure Hashing Algorithm. \n\n### Patches\nThe vulnerability is patched in v1.1.4 of the product, the users can upgrade to version 1.1.4.\n\n### Workarounds\nIf u specifically want a version and don\u0027t want to upgrade, you can remove the `MD5` hashing function from the file `hashing.py` and this vulnerability will be gone\n\n### References\nhttps://www.cybersecurity-help.cz/vdb/cwe/916/\nhttps://www.cybersecurity-help.cz/vdb/cwe/327/\nhttps://www.cybersecurity-help.cz/vdb/cwe/328/\nhttps://www.section.io/engineering-education/what-is-md5/\nhttps://www.johndcook.com/blog/2019/01/24/reversing-an-md5-hash/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [**Enrocrypt\u0027s Official Repo**](http://www.github.com/Morgan-Phoenix/EnroCrypt)\n* Create a Discussion in  [**Enrocrypt\u0027s Official Repo**](http://www.github.com/Morgan-Phoenix/EnroCrypt)\n",
  "id": "GHSA-35m5-8cvj-8783",
  "modified": "2024-09-20T16:50:32Z",
  "published": "2021-11-10T16:28:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Morgan-Phoenix/EnroCrypt/security/advisories/GHSA-35m5-8cvj-8783"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39182"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Morgan-Phoenix/EnroCrypt/commit/e652d56ac60eadfc26489ab83927af13a9b9d8ce"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Morgan-Phoenix/EnroCrypt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/enrocrypt/PYSEC-2021-385.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper hashing in enrocrypt"
}

Mitigation MIT-51
Architecture and Design
  • Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use.
  • Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead.
  • Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.
Mitigation MIT-25
Implementation Architecture and Design

When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

CAPEC-55: Rainbow Table Password Cracking

An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.