VYPR

CWE-916

Use of Password Hash With Insufficient Computational Effort

BaseIncomplete

Description

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-55

CVEs mapped to this weakness (44)

page 3 of 3
  • CVE-2020-14389Nov 17, 2020
    risk 0.00cvss epss 0.01

    It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.

  • CVE-2014-0083Nov 21, 2019
    risk 0.00cvss epss 0.00

    The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHA passwords.

  • CVE-2014-2354May 30, 2014
    risk 0.00cvss epss 0.01

    Cogent DataHub before 7.3.5 does not use a salt during password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack.

  • CVE-2009-4269Aug 16, 2010
    risk 0.00cvss epss 0.01

    The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly…