CVE-2024-24553

Bludit uses SHA1 as Password Hashing Algorithm

Description

Bludit uses the SHA-1 hashing algorithm to compute password hashes. Thus, attackers could determine cleartext passwords with brute-force attacks due to the inherent speed of SHA-1. In addition, the salt that is computed by Bludit is generated with a non-cryptographically secure function.

Remediation

Solution:

  • To address this vulnerability, it is imperative that the Bludit development team transitions to a more secure and intentionally slow hashing algorithm, such as bcrypt or Argon2, for password storage. These algorithms introduce the necessary computational overhead to resist brute-force attacks effectively. In addition, it is advised that appropriate cost factors are used. Furthermore, the generation of password salts should be revamped to employ a cryptographically secure method. The current approach, utilizing the `Text::randomText function`, should be replaced with a robust random number generator provided by the operating system or a dedicated cryptographic library. This change ensures the creation of unpredictable and secure salts, enhancing the overall resilience of the password storage mechanism.

Category

5.9
CVSS
Severity: Medium
CVSS 4.0 •
EPSS 0.07%
Affected: Bludit Bludit
Published at:
Updated at:

References

Link Tags
https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/

Frequently Asked Questions

What is the severity of CVE-2024-24553?
CVE-2024-24553 has been scored as a medium severity vulnerability.
How to fix CVE-2024-24553?
To fix CVE-2024-24553: To address this vulnerability, it is imperative that the Bludit development team transitions to a more secure and intentionally slow hashing algorithm, such as bcrypt or Argon2, for password storage. These algorithms introduce the necessary computational overhead to resist brute-force attacks effectively. In addition, it is advised that appropriate cost factors are used. Furthermore, the generation of password salts should be revamped to employ a cryptographically secure method. The current approach, utilizing the `Text::randomText function`, should be replaced with a robust random number generator provided by the operating system or a dedicated cryptographic library. This change ensures the creation of unpredictable and secure salts, enhancing the overall resilience of the password storage mechanism.
Is CVE-2024-24553 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-24553 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-24553?
CVE-2024-24553 affects Bludit Bludit.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.