Weak Salt in SSHA Password Generation in Ruby net-ldap Gem
CVE-2014-0083

5.5MEDIUM

Key Information:

Vendor

Ruby-net-ldap

Status
Ruby-net-ldap
Vendor
CVE Published:
21 November 2019

What is CVE-2014-0083?

The Ruby net-ldap gem prior to version 0.11 utilizes a weak salt mechanism when generating SSHA passwords, which can lead to insufficient password protection. This vulnerability allows attackers to exploit the predictable nature of the salts, potentially enabling them to reverse-engineer hashed passwords. It is crucial for developers to update to the latest version of the gem to mitigate this vulnerability and enhance the security of password management within applications that rely on net-ldap.

Affected Version(s)

ruby-net-ldap 0.16.2

References

https://security-tracker.debian.org/tracker/CVE-2014-0083
x_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0083
x_refsource_MISC
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2014-0083
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.