Vulnerability-Lookup

CVE-2024-29886 (GCVE-0-2024-29886)

Vulnerability from cvelistv5 – Published: 2024-03-27 18:42 – Updated: 2024-08-02 01:17

Title

Improved security for stored password hashes

Summary

Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-916 - Use of Password Hash With Insufficient Computational Effort

Assigner

GitHub_M

References

URL

Tags

	https://github.com/serverpod/serverpod/security/a…	x_refsource_CONFIRM
	https://github.com/serverpod/serverpod/commit/a78…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	serverpod	serverpod	Affected: < 1.2.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:serverpod:serverpod:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "serverpod",
            "vendor": "serverpod",
            "versions": [
              {
                "lessThan": "1.2.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-29886",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-01T17:34:12.298367Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-01T17:45:01.387Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:17:58.459Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc"
          },
          {
            "name": "https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "serverpod",
          "vendor": "serverpod",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-916",
              "description": "CWE-916: Use of Password Hash With Insufficient Computational Effort",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-27T18:42:45.113Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc"
        },
        {
          "name": "https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6"
        }
      ],
      "source": {
        "advisory": "GHSA-r75m-26cq-mjxc",
        "discovery": "UNKNOWN"
      },
      "title": "Improved security for stored password hashes"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-29886",
    "datePublished": "2024-03-27T18:42:45.113Z",
    "dateReserved": "2024-03-21T15:12:08.997Z",
    "dateUpdated": "2024-08-02T01:17:58.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-29886\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-27T19:15:49.023\",\"lastModified\":\"2026-01-08T19:09:07.950\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6.\"},{\"lang\":\"es\",\"value\":\"Serverpod es una aplicaci\u00f3n y un servidor web, creado para el ecosistema Flutter y Dart. Se identific\u00f3 un problema con el antiguo algoritmo hash de contrase\u00f1a que lo hac\u00eda susceptible a ataques de arco\u00edris si la base de datos se ve\u00eda comprometida. Esta vulnerabilidad se soluciona en 1.2.6.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-916\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:serverpod:serverpod:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.2.6\",\"matchCriteriaId\":\"A2C260FA-6F65-4949-8FE7-0CAB169EEB27\"}]}]}],\"references\":[{\"url\":\"https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-29886\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-01T17:34:12.298367Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:serverpod:serverpod:*:*:*:*:*:*:*:*\"], \"vendor\": \"serverpod\", \"product\": \"serverpod\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.2.6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-01T17:44:54.520Z\"}}], \"cna\": {\"title\": \"Improved security for stored password hashes\", \"source\": {\"advisory\": \"GHSA-r75m-26cq-mjxc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"serverpod\", \"product\": \"serverpod\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.2.6\"}]}], \"references\": [{\"url\": \"https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc\", \"name\": \"https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6\", \"name\": \"https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-916\", \"description\": \"CWE-916: Use of Password Hash With Insufficient Computational Effort\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-27T18:42:45.113Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-29886\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T17:45:01.387Z\", \"dateReserved\": \"2024-03-21T15:12:08.997Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-27T18:42:45.113Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-29886

Vulnerability from fkie_nvd - Published: 2024-03-27 19:15 - Updated: 2026-01-08 19:09

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6	Patch
security-advisories@github.com	https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc	Vendor Advisory

Impacted products

	Vendor	Product	Version
	serverpod	serverpod	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:serverpod:serverpod:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2C260FA-6F65-4949-8FE7-0CAB169EEB27",
              "versionEndExcluding": "1.2.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6."
    },
    {
      "lang": "es",
      "value": "Serverpod es una aplicaci\u00f3n y un servidor web, creado para el ecosistema Flutter y Dart. Se identific\u00f3 un problema con el antiguo algoritmo hash de contrase\u00f1a que lo hac\u00eda susceptible a ataques de arco\u00edris si la base de datos se ve\u00eda comprometida. Esta vulnerabilidad se soluciona en 1.2.6."
    }
  ],
  "id": "CVE-2024-29886",
  "lastModified": "2026-01-08T19:09:07.950",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-03-27T19:15:49.023",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-916"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-R75M-26CQ-MJXC

Vulnerability from github – Published: 2024-03-28 17:53 – Updated: 2024-03-28 17:53

Summary

Serverpod improved security for stored password hashes

Details

Description

Improved security for stored password hashes

Serverpod now uses the OWASP, source, recommended Argon2Id password hash algorithm to store password hashes for the email authentication module.

Starting from Serverpod 1.2.6 all users that either creates an account or authenticates with the server will have their password stored using the safer algorithm. No changes are required from the developer to start storing passwords using the safer algorithm.

Why did we change how passwords are stored?

An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised.

It is strongly recommended to migrate your existing password hashes.

Migrate existing password hashes

The email authentication module provides a helper method to migrate all the existing legacy password hashes in the database. Simply call Emails.migrateLegacyPasswordHashes(...) with a session instance as an argument to migrate the password hashes.

The method is implemented as an idempotent operation and will yield the same result regardless of how many times it is called.

We recommend either implementing a web server route that can be called remotely or by calling the method as part of starting the server.

Following is example code for implementing a web server route.

Web server route code

import 'dart:io';

import 'package:serverpod/serverpod.dart';
import 'package:serverpod_auth_server/module.dart' as auth;

class MigratePasswordsRoute extends Route {
  @override
  Future<bool> handleCall(Session session, HttpRequest request) async {
    request.response.writeln(
      'Migrating legacy passwords, check the server logs for progress updates.',
    );
    _migratePasswords(session);
    return true;
  }
}

Future<void> _migratePasswords(Session session) async {
  session.log('Starting to migrate passwords.');

  var totalMigratedPasswords = 0;
  while (true) {
    try {
      var entriesMigrated = await auth.Emails.migrateLegacyPasswordHashes(
        session,
        // Process 100 database entries at a time
        batchSize: 100,
        // Stop after 500 entries have been migrated
        maxMigratedEntries: 500,
      );

      totalMigratedPasswords += entriesMigrated;
      session.log(
        'Migrated $entriesMigrated password entries, total $totalMigratedPasswords.',
      );

      if (entriesMigrated == 0) break;

      // Delay to avoid overloading the database
      await Future.delayed(Duration(seconds: 1));
    } catch (e) {
      session.log('Error migrating passwords: $e');
    }
  }

  session.log('Finished migrating passwords.');
}

How we migrate existing password hashes

Since password hashes can’t be recalculated without knowledge of the plain text password, the method in the email authentication module applies the new algorithm to the already stored password hashes.

When the affected users later authenticate, their password hash will be calculated using both algorithms in tandem. If the authentication is accepted, the stored password hash will be updated to only use the new algorithm so that further authentication only needs to run the new algorithm.

Impact

All versions of serverpod_auth_server pre 1.2.6

Patches

Upgrading to version 1.2.6 resolves this issue.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Pub",
        "name": "serverpod_auth_server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-916"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-28T17:53:42Z",
    "nvd_published_at": "2024-03-27T19:15:49Z",
    "severity": "MODERATE"
  },
  "details": "## Description\n\n### Improved security for stored password hashes\nServerpod now uses the OWASP, [source](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#introduction), recommended Argon2Id password hash algorithm to store password hashes for the email authentication module.\n\nStarting from Serverpod `1.2.6` all users that either creates an account or authenticates with the server will have their password stored using the safer algorithm. No changes are required from the developer to start storing passwords using the safer algorithm.\n\n### Why did we change how passwords are stored?\nAn issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised.\n\nIt is strongly recommended to migrate your existing password hashes.\n\n### Migrate existing password hashes\nThe email authentication module provides a helper method to migrate all the existing legacy password hashes in the database. Simply call  `Emails.migrateLegacyPasswordHashes(...)` with a session instance as an argument to migrate the password hashes.\n\nThe method is implemented as an idempotent operation and will yield the same result regardless of how many times it is called.\n\nWe recommend either implementing a web server route that can be called remotely or by calling the method as part of starting the server.\n\nFollowing is example code for implementing a web server route.\n\n\u003cdetails\u003e\u003csummary\u003e\u003ch4\u003eWeb server route code\u003c/h4\u003e\u003c/summary\u003e\n\n```dart\nimport \u0027dart:io\u0027;\n\nimport \u0027package:serverpod/serverpod.dart\u0027;\nimport \u0027package:serverpod_auth_server/module.dart\u0027 as auth;\n\nclass MigratePasswordsRoute extends Route {\n  @override\n  Future\u003cbool\u003e handleCall(Session session, HttpRequest request) async {\n    request.response.writeln(\n      \u0027Migrating legacy passwords, check the server logs for progress updates.\u0027,\n    );\n    _migratePasswords(session);\n    return true;\n  }\n}\n\nFuture\u003cvoid\u003e _migratePasswords(Session session) async {\n  session.log(\u0027Starting to migrate passwords.\u0027);\n\n  var totalMigratedPasswords = 0;\n  while (true) {\n    try {\n      var entriesMigrated = await auth.Emails.migrateLegacyPasswordHashes(\n        session,\n        // Process 100 database entries at a time\n        batchSize: 100,\n        // Stop after 500 entries have been migrated\n        maxMigratedEntries: 500,\n      );\n\n      totalMigratedPasswords += entriesMigrated;\n      session.log(\n        \u0027Migrated $entriesMigrated password entries, total $totalMigratedPasswords.\u0027,\n      );\n\n      if (entriesMigrated == 0) break;\n\n      // Delay to avoid overloading the database\n      await Future.delayed(Duration(seconds: 1));\n    } catch (e) {\n      session.log(\u0027Error migrating passwords: $e\u0027);\n    }\n  }\n\n  session.log(\u0027Finished migrating passwords.\u0027);\n}\n```\n\n\u003c/details\u003e\n\n### How we migrate existing password hashes\nSince password hashes can\u2019t be recalculated without knowledge of the plain text password, the method in the email authentication module applies the new algorithm to the already stored password hashes.\n\nWhen the affected users later authenticate, their password hash will be calculated using both algorithms in tandem. If the authentication is accepted, the stored password hash will be updated to only use the new algorithm so that further authentication only needs to run the new algorithm.\n\n### Impact\nAll versions of `serverpod_auth_server` pre `1.2.6`\n\n### Patches\nUpgrading to version `1.2.6` resolves this issue.\n",
  "id": "GHSA-r75m-26cq-mjxc",
  "modified": "2024-03-28T17:53:42Z",
  "published": "2024-03-28T17:53:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29886"
    },
    {
      "type": "WEB",
      "url": "https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/serverpod/serverpod"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Serverpod improved security for stored password hashes"
}

GSD-2024-29886

Vulnerability from gsd - Updated: 2024-04-03 05:02

Details

Aliases

CVE-2024-29886

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-29886"
      ],
      "details": "Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6.",
      "id": "GSD-2024-29886",
      "modified": "2024-04-03T05:02:30.440324Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-29886",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "serverpod",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.2.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "serverpod"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-916",
                "lang": "eng",
                "value": "CWE-916: Use of Password Hash With Insufficient Computational Effort"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc",
            "refsource": "MISC",
            "url": "https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc"
          },
          {
            "name": "https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6",
            "refsource": "MISC",
            "url": "https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-r75m-26cq-mjxc",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6."
          }
        ],
        "id": "CVE-2024-29886",
        "lastModified": "2024-03-28T02:01:21.693",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 1.4,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-03-27T19:15:49.023",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/serverpod/serverpod/commit/a78b9e9f1de74d1300633a122b6cc0f064139ad6"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/serverpod/serverpod/security/advisories/GHSA-r75m-26cq-mjxc"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-916"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-29886 (GCVE-0-2024-29886)

FKIE_CVE-2024-29886

GHSA-R75M-26CQ-MJXC

Description

Improved security for stored password hashes

Why did we change how passwords are stored?

Migrate existing password hashes

Web server route code

How we migrate existing password hashes

Impact

Patches

GSD-2024-29886

Tags

Sightings

Nomenclature