Use of Password Hash With Insufficient Computational Effort

CVE-2017-18917

High

7.5/10

Summary

An issue was discovered in Mattermost Server versions prior to 3.6.7, 3.7.x prior to 3.7.5 and 3.8.x prior to 3.8.1. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-916 - Use of Password Hash With Insufficient Computational Effort

The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

References

Advisory
Pull request

Advisory Timeline

Published Jun 19, 2020

Use of Password Hash With Insufficient Computational Effort

CVE-2017-18917

Summary

CWE-916 - Use of Password Hash With Insufficient Computational Effort

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS