Cyber Resilience

CVE-2023-33243

HighPublic PoC

Published: 15 June 2023

Published
15 June 2023
Modified
12 December 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1335 94.3th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33243 is a high-severity Use of Password Hash With Insufficient Computational Effort (CWE-916) vulnerability in Starface Starface. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2023-33243 affects the web interface and REST API of STARFACE, which accept the SHA512 hash of a password for authentication in place of the cleartext password. This behavior negates the protective value of storing only password hashes in the application database, as described in the associated CWE-916 entry, and carries a CVSS 3.1 score of 8.1.

An attacker with network access who has obtained password hashes from a database compromise can authenticate directly to the web interface or REST API as the corresponding user without knowing the original password, resulting in potential full compromise of confidentiality, integrity, and availability.

Public advisories published by RedTeam Pentesting, which discovered the issue, provide further technical detail at the referenced URLs. The EPSS score has remained near 0.13–0.14 with no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's…

more

database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

starface
starface
≤ 7.3.0.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-916

Information from security contacts highlights password hashing methods with insufficient computational effort, preventing their adoption.

References