Vulnerability DatabaseGHSA-qh54-9vc5-m9fg

GHSA-qh54-9vc5-m9fg:
vulnerability analysis and mitigation

Overview

The vulnerability (GHSA-qh54-9vc5-m9fg) affects the MD5 hash support in github.com/foxcpp/maddy, specifically versions 0.5.0 and 0.5.1. The issue was discovered and published on October 11, 2021, and affects users utilizing the auth.shadow module on systems that still allow MD5 hashes in /etc/shadows (GitHub Advisory).

Technical details

The vulnerability has been assigned a CVSS v3.1 score of 3.0 (Low severity) with the following metrics: Attack Vector: Local, Attack Complexity: High, Privileges Required: High, User Interaction: None, Scope: Unchanged, Confidentiality: Low, Integrity: Low, and Availability: None. The vulnerability is associated with CWE-327 and has been assigned CVE-2021-42583 (GitHub Advisory).

Impact

The vulnerability impacts systems using the auth.shadow module in maddy versions 0.5.0 and 0.5.1, specifically affecting environments where MD5 hashes are still present in /etc/shadow. The impact is characterized by low confidentiality and integrity risks (GitHub Advisory).

Mitigation and workarounds

A patch has been released as part of version 0.5.2. As a workaround, users are advised to ensure MD5 hashes are not present in /etc/shadow (GitHub Advisory).