CVE-2023-33243

RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.
Configurations

Configuration 1 (hide)

cpe:2.3:a:starface:starface:*:*:*:*:*:*:*:*

History

03 Jul 2023, 17:30

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.1
CPE cpe:2.3:a:starface:starface:*:*:*:*:*:*:*:*
CWE CWE-916
References (MISC) https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses - (MISC) https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses - Third Party Advisory
References (MISC) https://www.redteam-pentesting.de/en/advisories/rt-sa-2022-004/-starface-authentication-with-password-hash-possible - (MISC) https://www.redteam-pentesting.de/en/advisories/rt-sa-2022-004/-starface-authentication-with-password-hash-possible - Exploit, Third Party Advisory

15 Jun 2023, 20:46

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-15 20:15

Updated : 2024-02-04 23:37


NVD link : CVE-2023-33243

Mitre link : CVE-2023-33243

CVE.ORG link : CVE-2023-33243


JSON object : View

Products Affected

starface

  • starface
CWE
CWE-916

Use of Password Hash With Insufficient Computational Effort