CVE-2021-21253 : OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passw

OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables to crack passwords. This problem is fixed and published in version 1.1.2. A long randomly generated salt is added to the password hash function to better protect passwords stored in the voting system.

Published 2021-01-21 15:15:15

Updated 2022-10-24 20:58:10

Source GitHub, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-21253

Probability of exploitation activity in the next 30 days: 0.07%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 30 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-21253

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
5.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N	3.9	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2021-21253

CWE-759 Use of a One-Way Hash without a Salt

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

Assigned by: security-advisories@github.com (Secondary)
CWE-916 Use of Password Hash With Insufficient Computational Effort

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-21253

https://github.com/dbijaya/OnlineVotingSystem/commit/0181cb0272857696c8eb3e44fcf6cb014ff90f09

Add a salt to SHA-256 hash · dbijaya/OnlineVotingSystem@0181cb0 · GitHub
Patch;Third Party Advisory
https://github.com/dbijaya/OnlineVotingSystem/security/advisories/GHSA-wwg8-372v-v332

Use of a One-Way Hash without a Salt · Advisory · dbijaya/OnlineVotingSystem · GitHub
Third Party Advisory

Products affected by CVE-2021-21253

Onlinevotingsystem Project » Onlinevotingsystem
Versions before (<) 1.1.2
cpe:2.3:a:onlinevotingsystem_project:onlinevotingsystem:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2021-21253

Exploit prediction scoring system (EPSS) score for CVE-2021-21253

CVSS scores for CVE-2021-21253

CWE ids for CVE-2021-21253

References for CVE-2021-21253

Products affected by CVE-2021-21253