CVE-2025-27408 (GCVE-0-2025-27408)
Vulnerability from cvelistv5
Published
2025-02-28 17:26
Modified
2025-03-04 22:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-759 - Use of a One-Way Hash without a Salt
Summary
Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue.
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-27408", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-02-28T18:10:40.836169Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-02-28T18:11:49.988Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "manifest", "vendor": "mnfst", "versions": [ { "status": "affected", "version": "\u003c 4.9.2" } ] } ], "descriptions": [ { "lang": "en", "value": "Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-759", "description": "CWE-759: Use of a One-Way Hash without a Salt", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-03-04T22:23:15.608Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c" }, { "name": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69" } ], "source": { "advisory": "GHSA-h8h6-7752-g28c", "discovery": "UNKNOWN" }, "title": "Manifest Uses a One-Way Hash without a Salt" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-27408", "datePublished": "2025-02-28T17:26:15.196Z", "dateReserved": "2025-02-24T15:51:17.268Z", "dateUpdated": "2025-03-04T22:23:15.608Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2025-27408\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-28T18:15:28.983\",\"lastModified\":\"2025-03-04T23:15:10.897\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Manifest ofrece a los usuarios un micro back end de un solo archivo. Antes de la versi\u00f3n 4.9.1, Manifest empleaba una implementaci\u00f3n de hash de contrase\u00f1as d\u00e9bil que utiliza SHA3 sin sal. Esto expone las contrase\u00f1as de los usuarios a un mayor riesgo de ser descifradas si un atacante obtiene acceso a la base de datos. Sin el uso de una sal, las contrase\u00f1as id\u00e9nticas de varios usuarios dar\u00e1n como resultado el mismo hash, lo que facilita que los atacantes identifiquen y exploten patrones, acelerando as\u00ed el proceso de descifrado. La versi\u00f3n 4.9.1 soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-759\"}]}],\"references\":[{\"url\":\"https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c\",\"source\":\"security-advisories@github.com\"}]}}", "vulnrichment": { "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27408\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-28T18:10:40.836169Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-28T18:11:16.010Z\"}}], \"cna\": {\"title\": \"Manifest Uses a One-Way Hash without a Salt\", \"source\": {\"advisory\": \"GHSA-h8h6-7752-g28c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"mnfst\", \"product\": \"manifest\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.9.2\"}]}], \"references\": [{\"url\": \"https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c\", \"name\": \"https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69\", \"name\": \"https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-759\", \"description\": \"CWE-759: Use of a One-Way Hash without a Salt\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-04T22:23:15.608Z\"}}}", "cveMetadata": "{\"cveId\": \"CVE-2025-27408\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-04T22:23:15.608Z\", \"dateReserved\": \"2025-02-24T15:51:17.268Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-28T17:26:15.196Z\", \"assignerShortName\": \"GitHub_M\"}", "dataType": "CVE_RECORD", "dataVersion": "5.1" } } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…