CVE Daily
← All tags

Tag: Salt

All CVEs associated with "Salt". Page 2/2 • 213 CVEs.

Subscribe CVEs: RSS for “Salt”  ·  RSS (High+Critical only)

About “Salt”

A curated feed of “Salt”-related CVEs appears below. We currently track 213 CVEs for this tag (all time). In the last 365 days, 41 were published. Average CVSS is 7.0 (all time; 6.6 over 365d), and 54% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-326 - Inadequate Encryption Strength, CWE-759 - Use of a One-Way Hash without a Salt, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.

In our taxonomy this topic maps to a LOW impact class. Config management tools have broad privileges. Patch servers and agents, use least privilege, sign artifacts, and audit playbooks and modules. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2021-01-21
Medium

CVE-2021-21253

OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there…

CVSS: 5.8 CWE: CWE-759 - Use of a One-Way Hash without a Salt View on NVD
2020-12-11
Medium

CVE-2020-28214

A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictiona…

CVSS: 5.5 CWE: CWE-760 - Use of a One-Way Hash with a Predictable Salt View on NVD
2020-11-06
Critical

CVE-2020-25592

In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2020-17490

The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions.

CVSS: 5.5 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Critical

CVE-2020-16846

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2020-10-20
High

CVE-2019-9080

DomainMOD before 4.14.0 uses MD5 without a salt for password storage.

CVSS: 7.5 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2020-09-23
High

CVE-2020-16244

GE Digital APM Classic, Versions 4.4 and prior. Salt is not used for hash calculation of passwords, making it possible to decrypt passwords. This design flaw, along with the IDOR vulnerability, puts…

CVSS: 7.2 CWE: CWE-759 - Use of a One-Way Hash without a Salt View on NVD
2020-09-17
Critical

CVE-2020-8028

A Improper Access Control vulnerability in the configuration of salt of SUSE Linux Enterprise Module for SUSE Manager Server 4.1, SUSE Manager Proxy 4.0, SUSE Manager Retail Branch Server 4.0, SUSE M…

CVSS: 9.3 CWE: CWE-284 - Improper Access Control View on NVD
2020-07-23
Medium

CVE-2020-11625

An issue was discovered in AvertX Auto focus Night Vision HD Indoor/Outdoor IP Dome Camera HD838 and Night Vision HD Indoor/Outdoor Mini IP Bullet Camera HD438. Failed web UI login attempts elicit di…

CVSS: 5.3 CWE: CWE-203 - Observable Discrepancy View on NVD
2020-04-30
Medium

CVE-2020-11652

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2020-11651

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access…

CVSS: 9.8 CWE: N/A View on NVD
2020-03-02
High

CVE-2019-18897

A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of salt of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15; openSUSE Factory allows local attackers to escalat…

CVSS: 8.4 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2020-02-28
High

CVE-2020-9449

An insecure random number generation vulnerability in BlaB! AX, BlaB! AX Pro, BlaB! WS (client), and BlaB! WS Pro (client) version 19.11 allows an attacker (with a guest or user session cookie) to es…

CVSS: 8.8 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
2020-01-30
High

CVE-2020-5229

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causi…

CVSS: 7.7 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2020-01-17
Critical

CVE-2019-17361

In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoin…

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2019-11-21
Medium

CVE-2014-0083

The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHA passwords.

CVSS: 5.5 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2019-11-14
Medium

CVE-2019-15802

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. The firmware hashes and encrypts passwords using a hardcoded cryptographic key in sal_util_str_encrypt() in libsal…

CVSS: 5.9 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2019-10-02
Medium

CVE-2019-12737

UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a One-Way Hash with a Predictable Salt for storing user credentials.

CVSS: 5.3 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2019-07-18
Critical

CVE-2019-1010259

SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The my…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2019-06-13
Medium

CVE-2019-12813

An issue was discovered in Digital Persona U.are.U 4500 Fingerprint Reader v24. The key and salt used for obfuscating the fingerprint image exhibit cleartext when the fingerprint scanner device trans…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2019-04-11
High

CVE-2019-3916

Information disclosure vulnerability in Verizon Fios Quantum Gateway (G1100) firmware version 02.01.00.05 allows an remote, unauthenticated attacker to retrieve the value of the password salt by simp…

CVSS: 7.5 CWE: CWE-425 - Direct Request ('Forced Browsing') View on NVD
2019-04-09
Medium

CVE-2019-5615

Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the…

CVSS: 6.5 CWE: CWE-257 - Storing Passwords in a Recoverable Format View on NVD
2019-01-18
High

CVE-2019-3907

Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).

CVSS: 7.5 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2019-01-15
High

CVE-2019-0030

Juniper ATP uses DES and a hardcoded salt for password hashing, allowing for trivial de-hashing of the password file contents. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.

CVSS: 7.2 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2018-12-13
Medium

CVE-2017-1268

IBM Security Guardium 10 and 10.5 uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input.…

CVSS: 5.9 CWE: CWE-310 View on NVD
2018-10-24
Critical

CVE-2018-15751

SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2018-15750

Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2018-09-25
High

CVE-2018-14647

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML docu…

CVSS: 7.5 CWE: CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) View on NVD
2018-09-05
Critical

CVE-2018-15681

An issue was discovered in BTITeam XBTIT 2.5.4. When a user logs in, their password hash is rehashed using a predictable salt and stored in the "pass" cookie, which is not flagged as HTTPOnly. Due to…

CVSS: 9.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2018-06-05
Critical

CVE-2016-9488

ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerSer…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2018-05-11
High

CVE-2018-6619

Easy Hosting Control Panel (EHCP) v0.37.12.b makes it easier for attackers to crack database passwords by leveraging use of a weak hashing algorithm without a salt.

CVSS: 7.8 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2018-04-23
Critical

CVE-2017-7893

In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.

CVSS: 9.8 CWE: N/A View on NVD
2018-04-04
Medium

CVE-2018-1447

The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of…

CVSS: 5.1 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2018-03-19
Low

CVE-2018-5552

Versions of DocuTrac QuicDoc and Office Therapy that ship with DTISQLInstaller.exe version 1.6.4.0 and prior contains a hard-coded cryptographic salt, "S@l+&pepper".

CVSS: 2.9 CWE: CWE-760 - Use of a One-Way Hash with a Predictable Salt View on NVD
2017-11-23
Critical

CVE-2017-13701

An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. The backup file contains sensitive information in a insecure way. There is no salt for password hashing. Indeed passwords are sto…

CVSS: 9.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-10-24
High

CVE-2017-14696

SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2017-14695

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2017-10-10
Medium

CVE-2015-6918

salt before 2015.5.5 leaks git usernames and passwords to the log.

CVSS: 6.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-09-26
High

CVE-2017-5200

Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.

CVSS: 8.8 CWE: N/A View on NVD
High

CVE-2017-5192

When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all au…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
2017-08-25
High

CVE-2015-4017

Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-08-23
Critical

CVE-2017-12791

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2017-08-09
Critical

CVE-2015-6941

win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.

CVSS: 9.8 CWE: CWE-534 View on NVD
2017-08-04
Critical

CVE-2015-9107

Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key o…

CVSS: 9.8 CWE: CWE-310 View on NVD
2017-08-01
Medium

CVE-2017-11131

An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. For authentication, the user password is hashed directly with SH…

CVSS: 5.9 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2017-04-30
High

CVE-2017-8081

Poor cryptographic salt initialization in admin/inc/template_functions.php in GetSimple CMS 3.3.13 allows a network attacker to escalate privileges to an arbitrary user or conduct CSRF attacks via ca…

CVSS: 8.8 CWE: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) View on NVD
2017-04-25
High

CVE-2017-8109

The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on co…

CVSS: 7.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-02-07
Critical

CVE-2016-9639

Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.

CVSS: 9.1 CWE: CWE-284 - Improper Access Control View on NVD
2017-02-01
Medium

CVE-2016-3034

IBM AppScan Source uses a one-way hash without salt to encrypt highly sensitive information, which could allow a local attacker to decrypt information more easily.

CVSS: 4.4 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2017-01-31
Medium

CVE-2016-3176

Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with…

CVSS: 5.6 CWE: CWE-287 - Improper Authentication View on NVD
2017-01-30
Low

CVE-2015-8034

The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.

CVSS: 3.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-01-20
Critical

CVE-2017-5543

includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote attackers to conduct PHP Object Injection attacks via crafted serialized data in a salt cookie in a login request.

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2016-12-16
Medium

CVE-2016-9964

redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.

CVSS: 6.5 CWE: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection') View on NVD
2016-04-12
High

CVE-2016-1866

Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master dat…

CVSS: 8.1 CWE: CWE-284 - Improper Access Control View on NVD
2016-04-11
Medium

CVE-2014-9759

Incomplete blacklist vulnerability in the config_is_private function in config_api.php in MantisBT 1.3.x before 1.3.0 allows remote attackers to obtain sensitive master salt configuration information…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-11-25
Medium

CVE-2015-5318

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via…

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2015-10-26
Medium

CVE-2015-5288

The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service…

CVSS: 6.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-07-05
Medium

CVE-2015-4129

SQL injection vulnerability in Subrion CMS before 3.3.3 allows remote authenticated users to execute arbitrary SQL commands via modified serialized data in a salt cookie.

CVSS: 6.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2015-03-16
Medium

CVE-2014-9687

eCryptfs 104 and earlier uses a default salt to encrypt the mount passphrase, which makes it easier for attackers to obtain user passwords via a brute force attack.

CVSS: 5.0 CWE: CWE-255 View on NVD
2014-10-29
Low

CVE-2014-8518

The (1) Removable Media and (2) CD and DVD encryption offsite access options (formerly Endpoint Encryption for Removable Media or EERM) in McAfee File and Removable Media Protection (FRP) 4.3.0.x, an…

CVSS: 2.1 CWE: CWE-255 View on NVD
2014-08-22
High

CVE-2014-3563

Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-s…

CVSS: 7.2 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2014-07-07
Medium

CVE-2014-3489

lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force atta…

CVSS: 4.3 CWE: CWE-255 View on NVD
2014-05-30
Medium

CVE-2014-2354

Cogent DataHub before 7.3.5 does not use a salt during password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack.

CVSS: 6.0 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2014-05-08
Medium

CVE-2013-0173

Foreman before 1.1 uses a salt of "foreman" to hash root passwords, which makes it easier for attackers to guess the password via a brute force attack.

CVSS: 5.0 CWE: CWE-310 View on NVD
2013-12-27
Medium

CVE-2013-2179

X.Org xdm 1.1.10, 1.1.11, and possibly other versions, when performing authentication using certain implementations of the crypt API function that can return NULL, allows remote attackers to cause a…

CVSS: 4.3 CWE: CWE-310 View on NVD
2013-11-05
Critical

CVE-2013-6617

The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges.

CVSS: 10.0 CWE: CWE-264 View on NVD
Medium

CVE-2013-4439

Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key.

CVSS: 4.9 CWE: CWE-264 View on NVD
High

CVE-2013-4438

Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2013-4437

Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vectors related to "insecure Usage of /tmp."

CVSS: 10.0 CWE: N/A View on NVD
Critical

CVE-2013-4436

The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle…

CVSS: 9.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2013-4435

Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated users who are using external authentication or client ACL to execute restricted routines by embedding the routine in another rou…

CVSS: 6.0 CWE: CWE-287 - Improper Authentication View on NVD
2013-10-27
Medium

CVE-2013-4122

Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers…

CVSS: 4.3 CWE: CWE-189 View on NVD
2013-10-01
Medium

CVE-2012-5627

Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection wh…

CVSS: 4.0 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2013-09-16
Medium

CVE-2013-4132

KDE-Workspace 4.10.5 and earlier does not properly handle the return value of the glibc 2.17 crypt and pw_encrypt functions, which allows remote attackers to cause a denial of service (NULL pointer d…

CVSS: 5.0 CWE: CWE-310 View on NVD
2012-11-21
Medium

CVE-2012-4409

Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to execute arbitrary code via an encrypted file with a crafted…

CVSS: 6.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2012-09-21
Medium

CVE-2012-3137

The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to obtain the session key and salt for arbitrary users, wh…

CVSS: 6.4 CWE: CWE-287 - Improper Authentication View on NVD
2012-08-07
Medium

CVE-2012-2317

The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5 package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04 LTS…

CVSS: 4.3 CWE: CWE-310 View on NVD
2012-06-09
Medium

CVE-2012-2565

Bloxx Web Filtering before 5.0.14 does not use a salt during calculation of a password hash, which makes it easier for context-dependent attackers to determine cleartext passwords via a rainbow-table…

CVSS: 5.8 CWE: CWE-264 View on NVD
2011-11-10
Medium

CVE-2011-4432

www/include/configuration/nconfigObject/contact/DB-Func.php in Merethis Centreon before 2.3.2 does not use a salt during calculation of a password hash, which makes it easier for context-dependent at…

CVSS: 5.0 CWE: CWE-310 View on NVD
2011-08-25
Critical

CVE-2011-3268

Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long salt argument, a different vulnerability than CVE-2011-2483.

CVSS: 10.0 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
Medium

CVE-2011-3189

The crypt function in PHP 5.3.7, when the MD5 hash type is used, returns the value of the salt argument instead of the hashed string, which might allow remote attackers to bypass authentication via a…

CVSS: 4.3 CWE: CWE-310 View on NVD
2010-11-06
High

CVE-2009-5014

The default quickstart configuration of TurboGears2 (aka tg2) before 2.0.2 has a weak cookie salt, which makes it easier for remote attackers to bypass repoze.who authentication via a forged authoriz…

CVSS: 7.5 CWE: CWE-310 View on NVD
2009-12-16
High

CVE-2009-4304

Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 does not use a random password salt in config.php, which makes it easier for attackers to conduct brute-force password guessing attacks.

CVSS: 7.5 CWE: CWE-255 View on NVD
2009-08-24
High

CVE-2009-2951

Phenotype CMS before 2.9 does not use a random salt value for password encryption, which makes it easier for context-dependent attackers to determine cleartext passwords.

CVSS: 7.5 CWE: CWE-310 View on NVD
2008-11-04
High

CVE-2008-4905

Typo 5.1.3 and earlier uses a hard-coded salt for calculating password hashes, which makes it easier for attackers to guess passwords via a brute force attack.

CVSS: 7.5 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
2008-05-18
High

CVE-2008-2291

axengine.exe in Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 generates credentials with a fixed salt or without any salt, which makes it easier for remote attackers to guess en…

CVSS: 7.5 CWE: CWE-255 View on NVD
2008-03-26
High

CVE-2008-1526

ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), do not use a salt when calculating an MD5 password hash, which makes it e…

CVSS: 7.5 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2006-04-04
Medium

CVE-2006-1058

BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.

CVSS: 5.5 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2003-09-22
Critical

CVE-2003-0780

Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute arbitrary code via a long Password field.

CVSS: 9.0 CWE: N/A View on NVD
2002-12-31
High

CVE-2002-1657

PostgreSQL uses the username for a salt when generating passwords, which makes it easier for remote attackers to guess passwords via a brute force attack.

CVSS: 7.5 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
Medium

CVE-2002-1975

Sharp Zaurus PDA SL-5000D and SL-5500 uses a salt of "A0" to encrypt the screen-locking password as stored in the Security.conf file, which makes it easier for local users to guess the password via b…

CVSS: 5.5 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2001-08-31
Critical

CVE-2001-0967

Knox Arkeia server 4.2, and possibly other versions, uses a constant salt when encrypting passwords using the crypt() function, which makes it easier for an attacker to conduct brute force password g…

CVSS: 9.8 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2001-08-04
Critical

CVE-2001-1356

NetWin SurgeFTP 2.0f and earlier encrypts passwords using weak hashing, a fixed salt value and modulo 40 calculations, which allows remote attackers to conduct brute force password guessing attacks a…

CVSS: 10.0 CWE: N/A View on NVD