Use of Weak Hash

Property
Languagejava
Severityhigh
CWECWE-328: Use of Weak Hash
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelMedium

Description

The code uses the MD5 hashing algorithm, which is outdated and insecure because it is vulnerable to collisions. This means attackers can create different inputs that produce the same hash value, making MD5 unsuitable for protecting sensitive data or verifying integrity.

Impact

If MD5 is used for hashing passwords, signatures, or sensitive data, attackers could forge data or bypass authentication by exploiting hash collisions. This can lead to data breaches, unauthorized access, and loss of trust in the application’s security.

Use of Weak Hash

Property
Languagephp
Severitylow
CWECWE-328: Use of Weak Hash
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The code uses outdated or insecure cryptographic functions like md5, sha1, or crypt, which are no longer considered safe for hashing sensitive data. These functions are vulnerable to attacks that can compromise passwords or other protected information.

Impact

If an attacker exploits this weakness, they could crack hashed passwords or tamper with supposedly secure data, leading to unauthorized access, data breaches, or manipulation of protected information. This can undermine user trust and expose the application to regulatory or reputational risks.

Use of Weak Hash

Property
Languageruby
Severitymedium
CWECWE-328: Use of Weak Hash
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

The code uses the SHA1 hashing algorithm, which is outdated and no longer secure due to proven vulnerabilities that allow attackers to create hash collisions. It’s recommended to use stronger algorithms like SHA256 or SHA3 instead.

Impact

If SHA1 is used, attackers could exploit hash collisions to forge or tamper with data, potentially bypassing security checks or compromising sensitive information. This can lead to data breaches, authentication bypass, or other critical security failures in your application.

Use of Weak Hash

Property
Languageruby
Severitymedium
CWECWE-328: Use of Weak Hash
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelLow

Description

The code uses the MD5 hashing algorithm, which is outdated and vulnerable to brute-force and collision attacks. MD5 should not be used for hashing sensitive data or security-critical operations.

Impact

Attackers can exploit MD5’s weaknesses to generate matching hashes for different inputs, potentially allowing them to bypass authentication, tamper with data, or forge digital signatures. This puts sensitive information and system integrity at serious risk.

Use of Weak Hash

Property
Languagerust
Severitymedium
CWECWE-328: Use of Weak Hash
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelLow

Description

The code uses outdated and insecure hash functions like MD2, MD4, MD5, or SHA1 for cryptographic purposes. These algorithms are considered broken and can be exploited by attackers to compromise data integrity or security.

Impact

Attackers may be able to generate hash collisions or reverse engineer sensitive data, leading to unauthorized access, data tampering, or credential compromise. This can put user information and application security at serious risk.

Use of Weak Hash (4.12)

Property
Languageocaml
Severitymedium
CWECWE-328: Use of Weak Hash (4.12)
Confidence LevelLow
Impact LevelMedium
Likelihood LevelMedium

Description

The OCaml Digest module uses the outdated MD5 hashing algorithm, which is no longer considered secure. Using it for hashing sensitive data can expose your application to security risks.

Impact

Attackers could exploit weaknesses in MD5 to create hash collisions, allowing them to bypass integrity checks, tamper with data, or impersonate users. This can lead to data breaches, unauthorized access, or other serious security issues.

Use of Web Link to Untrusted Target with window.opener Access

Property
Languagegeneric
Severitymedium
CWECWE-1022: Use of Web Link to Untrusted Target with window.opener Access
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

Using links with target="_blank" without adding rel=“noopener noreferrer” lets the new page access the original page via window.opener. This can expose your site to malicious actions from external or untrusted pages.

Impact

If exploited, an attacker could manipulate the original page or redirect users to phishing sites by taking control through window.opener. This can lead to data theft, session hijacking, or loss of user trust in your application.

User data for EC2 instances must not contain sensitive AWS keys

Property
Languageterraform
Severitycritical
Serviceec2
ProviderAWS
Vulnerability Typemisconfiguration

Description

Storing sensitive AWS access keys or credentials in EC2 user data exposes them in plain text, as user data is accessible via the AWS Management Console and API. This practice bypasses secure credential management and increases the risk of unauthorized access.

Impact

If exploited, attackers can obtain AWS credentials from user data, allowing them to assume the privileges of the compromised keys. This can lead to unauthorized access, data breaches, resource manipulation, or full account compromise, severely impacting the security of AWS resources.

User data for EC2 instances must not contain sensitive AWS keys

Property
Languageterraform
Severitycritical
Serviceec2
ProviderAWS
Vulnerability Typemisconfiguration

Description

Sensitive AWS access keys or credentials are included in EC2 instance user data, making them accessible in plain text to anyone with permission to view the instance’s user data. This practice exposes critical secrets rather than using secure mechanisms like IAM Instance Profiles.

Impact

If exploited, attackers or unauthorized users with access to the EC2 instance metadata or AWS console could retrieve AWS credentials and gain unauthorized access to AWS resources, potentially leading to data breaches, resource compromise, or full account takeover.

User Interface (UI) Misrepresentation of Critical Information

Property
Languagejavascript
Severitymedium
CWECWE-451: User Interface (UI) Misrepresentation of Critical Information
OWASPA04:2021 - Insecure Design
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The application sets the ‘X-Frame-Options’ HTTP header based on user input, allowing clients to control whether your pages can be embedded in iframes. This weakens protections against clickjacking attacks and should not be user-controllable.

Impact

If exploited, attackers could bypass frame restrictions and embed your site in malicious pages, potentially tricking users into clicking hidden UI elements (clickjacking). This could lead to unauthorized actions, data theft, or reputational damage to your application.