CVE-2024-47182

Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/amir20/dozzle before v8.5.3.

### Summary The app uses sha-256 as the hash for passwords. The app should switch to bcrypt. ### Details SHA-256 is a message digest hash, and not classified as secure for password hashing. Message digest hashes are designed to be fast, while password hashing mechanisms are designed with certain cryptographic properties (e.g. slow) to protect against vulnerabilities. Refer to the links below for more information: - https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords - https://stackoverflow.com/questions/11624372/best-practice-for-hashing-passwords-sha256-or-sha512 - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwords-with-bcrypt ### PoC N/A ### Impact It leaves users susceptible to rainbow table attacks

Dozzle es un visualizador de registros en tiempo real para contenedores Docker. Antes de la versión 8.5.3, la aplicación utilizaba sha-256 como hash para las contraseñas, lo que dejaba a los usuarios expuestos a ataques de tablas arcoíris. La aplicación cambia a bcrypt, un hash más apropiado para las contraseñas, en la versión 8.5.3.