CVE-2024-47182: 
Linux openSUSE vulnerability analysis and mitigation

CVE-2024-47182 affects Dozzle, a realtime log viewer for docker containers, in versions prior to 8.5.3. The vulnerability was discovered and disclosed on September 27, 2024, with the main security concern being the use of SHA-256 for password hashing, which is considered cryptographically insufficient for password storage (NVD, GitHub Advisory).

The vulnerability stems from the application's use of SHA-256, a message digest hash function, for password storage. SHA-256, while being a cryptographic hash function, is designed to be computationally fast, which makes it unsuitable for password hashing. This implementation choice goes against security best practices, as password hashing mechanisms should be intentionally slow to protect against brute-force attacks. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST NVD, though GitHub's assessment rates it at 4.8 (MEDIUM) (NVD).

The primary impact of this vulnerability is that it leaves users susceptible to rainbow table attacks. Rainbow tables are pre-computed tables for reversing cryptographic hash functions, making it easier for attackers to crack password hashes. The use of SHA-256 for password hashing significantly reduces the computational effort required to crack passwords compared to more appropriate password hashing algorithms (GitHub Advisory).

The vulnerability has been patched in Dozzle version 8.5.3, which implements bcrypt as the password hashing algorithm. Users are strongly advised to upgrade to this version or later. For those unable to upgrade immediately, it's important to note that the application will continue to support SHA-256 hashed passwords for backward compatibility, but users should update their password hashes to bcrypt using the command docker run amir20/dozzle generate (GitHub Commit).