CVE-2022-37163

Vulnerability

IHateToBudget version 1.5.7 employs a weak password policy that does not enforce complexity requirements, and user passwords are hashed without a salt or pepper, resulting in insufficient computational effort to resist cracking [1]. The application stores these unsalted hashes on the server, making them susceptible to offline brute-force attacks using tools like hashcat [1].

Exploitation

An attacker with network access to the application can attempt brute-force authentication attacks due to the weak password policy [1]. Additionally, if the attacker gains access to the password hash database (e.g., via a separate server compromise), the unsalted hashes can be cracked efficiently using hashcat or similar tools, as no salting or peppering increases the computational effort required [1]. No user interaction is needed beyond normal authentication attempts.

Impact

Successful exploitation could allow an attacker to gain unauthorized access to the IHateToBudget application, potentially leading to disclosure of sensitive financial data (confidentiality) and unauthorized modification of budget entries (integrity) [1]. The attacker would obtain the privileges of the compromised user account.

Mitigation

As of the available references, there is no patch released. The IHateToBudget repository was archived by the owner on December 24, 2022, indicating no further updates are planned [2]. Users should migrate to an alternative budget application that implements proper password policies and salted hashing. Not yet disclosed in the available references regarding the official fix timeline.