CVE-2024-47182:

Dozzle versions prior to 8.5.3 stored user passwords using SHA-256, a weak hash that is vulnerable to rainbow-table attacks; upgrading to version 8.5.3 or later switches password hashing to bcrypt, mitigating the issue.

Score
A numerical rating that indicates how dangerous this vulnerability is.

7.5High

Published Date:Sep 27, 2024
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.2
EPSS Percentile:42%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:3.6
Confidentiality Impact:HIGH
Integrity Impact:NONE
Availability Impact:NONE

Description Preview

Overview

Dozzle before version 8.5.3 used SHA-256 to hash passwords, which is not ideal for password storage and makes accounts vulnerable to rainbow-table attacks when an attacker can reach the login interface over the network. The vulnerability is mitigated by the move to bcrypt in version 8.5.3, which provides proper salting and iteration-based hashing to resist precomputed attacks. The affected scope includes all releases prior to 8.5.3, and exploitation requires network access with no user interaction.

Remediation

Upgrade Dozzle to version 8.5.3 or later to ensure bcrypt is used for password hashing.
After upgrading, force a global password reset or re-authentication for all users to ensure all credentials are rehashed with bcrypt (if the system does not automatically rehash on upgrade).
If upgrading is not immediately possible, limit exposure:
Restrict Dozzle access to trusted networks and require TLS.
Place Dozzle behind a secure reverse proxy with access controls.
Disable or tightly control any unauthenticated or public endpoints.
Plan and implement a user password rotation/reset campaign as a temporary measure.
Review monitoring and audit logs for authentication events and verify that password storage uses bcrypt going forward.