{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27408", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-24T15:51:17.268Z", "datePublished": "2025-02-28T17:26:15.196Z", "dateUpdated": "2025-03-04T22:23:15.608Z"}, "containers": {"cna": {"title": "Manifest Uses a One-Way Hash without a Salt", "problemTypes": [{"descriptions": [{"cweId": "CWE-759", "lang": "en", "description": "CWE-759: Use of a One-Way Hash without a Salt", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c"}, {"name": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69", "tags": ["x_refsource_MISC"], "url": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69"}], "affected": [{"vendor": "mnfst", "product": "manifest", "versions": [{"version": "< 4.9.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-04T22:23:15.608Z"}, "descriptions": [{"lang": "en", "value": "Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue."}], "source": {"advisory": "GHSA-h8h6-7752-g28c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-28T18:10:40.836169Z", "id": "CVE-2025-27408", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-28T18:11:49.988Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27408", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-28T18:10:40.836169Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-28T18:11:16.010Z"}}], "cna": {"title": "Manifest Uses a One-Way Hash without a Salt", "source": {"advisory": "GHSA-h8h6-7752-g28c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "mnfst", "product": "manifest", "versions": [{"status": "affected", "version": "< 4.9.2"}]}], "references": [{"url": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c", "name": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69", "name": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-759", "description": "CWE-759: Use of a One-Way Hash without a Salt"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-04T22:23:15.608Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27408", "state": "PUBLISHED", "dateUpdated": "2025-03-04T22:23:15.608Z", "dateReserved": "2025-02-24T15:51:17.268Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-28T17:26:15.196Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue."}, {"lang": "es", "value": "Manifest ofrece a los usuarios un micro back end de un solo archivo. Antes de la versi\u00f3n 4.9.1, Manifest empleaba una implementaci\u00f3n de hash de contrase\u00f1as d\u00e9bil que utiliza SHA3 sin sal. Esto expone las contrase\u00f1as de los usuarios a un mayor riesgo de ser descifradas si un atacante obtiene acceso a la base de datos. Sin el uso de una sal, las contrase\u00f1as id\u00e9nticas de varios usuarios dar\u00e1n como resultado el mismo hash, lo que facilita que los atacantes identifiquen y exploten patrones, acelerando as\u00ed el proceso de descifrado. La versi\u00f3n 4.9.1 soluciona el problema."}], "id": "CVE-2025-27408", "lastModified": "2025-03-04T23:15:10.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-28T18:15:28.983", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69"}, {"source": "security-advisories@github.com", "url": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-759"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}