Miggo Logo
Miggo Vulnerability Database
GHSA-g636-q5fc-4pr7

GHSA-g636-q5fc-4pr7:
accounts: Hash account number using Salt

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-g636-q5fc-4pr7
EPSS Score
-
CWE
-
Published
5/24/2021
Updated
1/9/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/moov-io/customersgo< 0.5.00.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from unsalted hashing of account numbers. The key evidence is the removal of hash.AccountNumber function which performed raw SHA-256 hashing, and its replacement with hash.SHA256Hash that includes salt. The CreateAccountRequest.Disfigure method's modification to use the new salted hash (visible in router.go changes) further confirms the vulnerability was in the original hash.AccountNumber calls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

@*lov*k *oun* t**t *urr*ntly w**n w* *uil* **s* o* ***ount num**r w* *o not "s*lt" it. W*i** m*k*s it vuln*r**l* to r*in*ow t**l* *tt**k. **W**t *i* you *xp**t to s**?** I *xp**t** s*lt (som* r*n*om num**r *rom *on*i*ur*tion) to ** us** in [**s*.***

Reasoning

T** vuln*r**ility st*mm** *rom uns*lt** **s*in* o* ***ount num**rs. T** k*y *vi**n** is t** r*mov*l o* `**s*.***ountNum**r` *un*tion w*i** p*r*orm** r*w S**-*** **s*in*, *n* its r*pl***m*nt wit* `**s*.S*******s*` t**t in*lu**s s*lt. T** `*r**t****oun