Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Actualizer by ChewKeanHo

    CVE-2025-47276 (GCVE-0-2025-47276)

    Vulnerability from nvd – Published: 2025-05-13 15:34 – Updated: 2025-05-13 19:31
    VLAI
    Title
    Actualizer Uses OpenSSL's "-passwd" Function Which Uses SHA512 Under The Hood Instead of Proper Password Hasher like Yescript/Argon2i
    Summary
    Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL's "-passwd" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accounts. The change will deploy's Debian's yescript overriding the older SHA512 hash created by OpenSSL. As a workaround, users need to reset both `root` and "Alpha" users' passwords.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    ChewKeanHo Actualizer Affected: < 1.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47276",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-13T19:31:14.270803Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-13T19:31:22.672Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Actualizer",
              "vendor": "ChewKeanHo",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL\u0027s  \"-passwd\" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accounts. The change will deploy\u0027s Debian\u0027s yescript overriding the older SHA512 hash created by OpenSSL. As a workaround, users need to reset both `root` and \"Alpha\" users\u0027 passwords."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-328",
                  "description": "CWE-328: Use of Weak Hash",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-13T15:34:28.801Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ChewKeanHo/Actualizer/security/advisories/GHSA-v626-chv9-v9qr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ChewKeanHo/Actualizer/security/advisories/GHSA-v626-chv9-v9qr"
            },
            {
              "name": "https://github.com/ChewKeanHo/Actualizer/issues/1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ChewKeanHo/Actualizer/issues/1"
            },
            {
              "name": "https://github.com/openssl/openssl/issues/19340",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openssl/openssl/issues/19340"
            },
            {
              "name": "https://github.com/ChewKeanHo/Actualizer/commit/32c9cc232c856f078f8269fba80ce7562bbff86b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ChewKeanHo/Actualizer/commit/32c9cc232c856f078f8269fba80ce7562bbff86b"
            },
            {
              "name": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
            },
            {
              "name": "https://github.com/ChewKeanHo/Actualizer/releases/tag/v1.2.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ChewKeanHo/Actualizer/releases/tag/v1.2.0"
            },
            {
              "name": "https://www.reddit.com/r/debian/comments/1kknzqi/actualizer_v110_upgraded",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.reddit.com/r/debian/comments/1kknzqi/actualizer_v110_upgraded"
            }
          ],
          "source": {
            "advisory": "GHSA-v626-chv9-v9qr",
            "discovery": "UNKNOWN"
          },
          "title": "Actualizer Uses OpenSSL\u0027s  \"-passwd\" Function Which Uses SHA512 Under The Hood Instead of Proper Password Hasher like Yescript/Argon2i"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47276",
        "datePublished": "2025-05-13T15:34:28.801Z",
        "dateReserved": "2025-05-05T16:53:10.372Z",
        "dateUpdated": "2025-05-13T19:31:22.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-47276 (GCVE-0-2025-47276)

    Vulnerability from cvelistv5 – Published: 2025-05-13 15:34 – Updated: 2025-05-13 19:31
    VLAI
    Title
    Actualizer Uses OpenSSL's "-passwd" Function Which Uses SHA512 Under The Hood Instead of Proper Password Hasher like Yescript/Argon2i
    Summary
    Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL's "-passwd" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accounts. The change will deploy's Debian's yescript overriding the older SHA512 hash created by OpenSSL. As a workaround, users need to reset both `root` and "Alpha" users' passwords.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    ChewKeanHo Actualizer Affected: < 1.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47276",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-13T19:31:14.270803Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-13T19:31:22.672Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Actualizer",
              "vendor": "ChewKeanHo",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL\u0027s  \"-passwd\" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accounts. The change will deploy\u0027s Debian\u0027s yescript overriding the older SHA512 hash created by OpenSSL. As a workaround, users need to reset both `root` and \"Alpha\" users\u0027 passwords."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-328",
                  "description": "CWE-328: Use of Weak Hash",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-13T15:34:28.801Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ChewKeanHo/Actualizer/security/advisories/GHSA-v626-chv9-v9qr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ChewKeanHo/Actualizer/security/advisories/GHSA-v626-chv9-v9qr"
            },
            {
              "name": "https://github.com/ChewKeanHo/Actualizer/issues/1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ChewKeanHo/Actualizer/issues/1"
            },
            {
              "name": "https://github.com/openssl/openssl/issues/19340",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openssl/openssl/issues/19340"
            },
            {
              "name": "https://github.com/ChewKeanHo/Actualizer/commit/32c9cc232c856f078f8269fba80ce7562bbff86b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ChewKeanHo/Actualizer/commit/32c9cc232c856f078f8269fba80ce7562bbff86b"
            },
            {
              "name": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
            },
            {
              "name": "https://github.com/ChewKeanHo/Actualizer/releases/tag/v1.2.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ChewKeanHo/Actualizer/releases/tag/v1.2.0"
            },
            {
              "name": "https://www.reddit.com/r/debian/comments/1kknzqi/actualizer_v110_upgraded",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.reddit.com/r/debian/comments/1kknzqi/actualizer_v110_upgraded"
            }
          ],
          "source": {
            "advisory": "GHSA-v626-chv9-v9qr",
            "discovery": "UNKNOWN"
          },
          "title": "Actualizer Uses OpenSSL\u0027s  \"-passwd\" Function Which Uses SHA512 Under The Hood Instead of Proper Password Hasher like Yescript/Argon2i"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47276",
        "datePublished": "2025-05-13T15:34:28.801Z",
        "dateReserved": "2025-05-05T16:53:10.372Z",
        "dateUpdated": "2025-05-13T19:31:22.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }