GHSA-g636-q5fc-4pr7: 
vulnerability analysis and mitigation

A security vulnerability was identified in the moov-io/customers Go package (GHSA-g636-q5fc-4pr7), affecting versions prior to 0.5.0. The vulnerability was discovered and reported by @alovak, published on October 22, 2020, and last updated on January 9, 2023. The issue involves the absence of salt when generating hash values for account numbers, making the system potentially vulnerable to rainbow table attacks (GitHub Advisory).

The vulnerability stems from the implementation of account number hashing functionality where the hash.AccountNumber operation was performed without incorporating a salt value. This implementation oversight makes the hashing mechanism susceptible to rainbow table attacks. The vulnerability has been assigned a Low severity rating (GitHub Advisory).

The absence of salt in the hashing process makes it theoretically possible for attackers to use rainbow tables to reverse the hashed account numbers, potentially compromising the confidentiality of account information (GitHub Advisory).

The vulnerability has been patched in version 0.5.0 of the moov-io/customers package. The recommended solution involves implementing salt generation per tenant or organization when performing account number hashing operations (GitHub Advisory).