CWE-916
Use of Password Hash With Insufficient Computational Effort
Description
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-55
CVEs mapped to this weakness (44)
page 3 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-14389 | 0.00 | — | 0.01 | Nov 17, 2020 | It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have. | |||
| CVE-2014-0083 | — | 0.00 | — | 0.00 | Nov 21, 2019 | The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHA passwords. | ||
| CVE-2014-2354 | 0.00 | — | 0.01 | May 30, 2014 | Cogent DataHub before 7.3.5 does not use a salt during password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack. | |||
| CVE-2009-4269 | 0.00 | — | 0.01 | Aug 16, 2010 | The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly… |
- CVE-2020-14389Nov 17, 2020risk 0.00cvss —epss 0.01
It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
- CVE-2014-0083Nov 21, 2019risk 0.00cvss —epss 0.00
The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHA passwords.
- CVE-2014-2354May 30, 2014risk 0.00cvss —epss 0.01
Cogent DataHub before 7.3.5 does not use a salt during password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack.
- CVE-2009-4269Aug 16, 2010risk 0.00cvss —epss 0.01
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly…