CVE-2021-21253

{"id": "CVE-2021-21253", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2021-01-21T15:15:14.580", "references": [{"url": "https://github.com/dbijaya/OnlineVotingSystem/commit/0181cb0272857696c8eb3e44fcf6cb014ff90f09", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dbijaya/OnlineVotingSystem/security/advisories/GHSA-wwg8-372v-v332", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-916"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-759"}]}], "descriptions": [{"lang": "en", "value": "OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables to crack passwords. This problem is fixed and published in version 1.1.2. A long randomly generated salt is added to the password hash function to better protect passwords stored in the voting system."}, {"lang": "es", "value": "OnlineVotingSystem es un proyecto de c\u00f3digo abierto alojado en GitHub. OnlineVotingSystem anterior a versi\u00f3n 1.1.2, aplica un hash a las contrase\u00f1as de los usuarios sin sal, lo que es vulnerable a ataques de diccionario. Por lo tanto, se presenta una amenaza de violaci\u00f3n de seguridad en el sistema de votaci\u00f3n. Sin una sal, es mucho m\u00e1s f\u00e1cil para los atacantes calcular previamente el valor hash usando t\u00e9cnicas de ataque de diccionario como tablas rainbow para descifrar contrase\u00f1as. Este problema est\u00e1 corregido y publicado en la versi\u00f3n 1.1.2. Se agrega una sal generada aleatoriamente a la funci\u00f3n password hash para proteger mejor las contrase\u00f1as almacenadas en el sistema de votaci\u00f3n"}], "lastModified": "2022-10-24T20:58:09.827", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:onlinevotingsystem_project:onlinevotingsystem:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9512C3B9-84DD-4E95-8091-B4C18719D719", "versionEndExcluding": "1.1.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}