CVE-2023-33243
Published: 15 June 2023
Summary
CVE-2023-33243 is a high-severity Use of Password Hash With Insufficient Computational Effort (CWE-916) vulnerability in Starface Starface. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2023-33243 affects the web interface and REST API of STARFACE, which accept the SHA512 hash of a password for authentication in place of the cleartext password. This behavior negates the protective value of storing only password hashes in the application database, as described in the associated CWE-916 entry, and carries a CVSS 3.1 score of 8.1.
An attacker with network access who has obtained password hashes from a database compromise can authenticate directly to the web interface or REST API as the corresponding user without knowing the original password, resulting in potential full compromise of confidentiality, integrity, and availability.
Public advisories published by RedTeam Pentesting, which discovered the issue, provide further technical detail at the referenced URLs. The EPSS score has remained near 0.13–0.14 with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37412
Vulnerability details
RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's…
more
database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Information from security contacts highlights password hashing methods with insufficient computational effort, preventing their adoption.