CVE-2019-25030 — MEDIUM (5.5)

Vulnerability Description

In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as "rainbow tables") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Versa-Networks	Versa Analytics	-
Versa-Networks	Versa Director	-
Versa-Networks	Versa Operating System	-

Related Weaknesses (CWE)

CWE-522

References

https://hackerone.com/reports/1168197Third Party Advisory
https://hackerone.com/reports/1168197Third Party Advisory

FAQ

What is CVE-2019-25030?

CVE-2019-25030 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the ...

How severe is CVE-2019-25030?

CVE-2019-25030 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-25030?

Check the references section above for vendor advisories and patch information. Affected products include: Versa-Networks Versa Analytics, Versa-Networks Versa Director, Versa-Networks Versa Operating System.