Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-759 (使用未加Salt的单向哈希算法) — Vulnerability Class 9

9 vulnerabilities classified as CWE-759 (使用未加Salt的单向哈希算法). AI Chinese analysis included.

CWE-759 represents a cryptographic weakness where systems hash sensitive data, such as passwords, without incorporating a unique random value known as a salt. This omission significantly weakens security by allowing attackers to leverage pre-computed hash databases, commonly referred to as rainbow tables, to reverse-engineer original inputs. Without salt, identical passwords produce identical hashes, enabling efficient dictionary attacks that bypass the need for individual brute-force attempts per user. To mitigate this risk, developers must integrate a cryptographically secure, unique salt for every password before hashing. Modern best practices recommend using specialized key derivation functions like bcrypt, scrypt, or Argon2, which automatically handle salting and computational stretching, thereby ensuring that even compromised databases remain resistant to rapid decryption and mass credential exposure.

MITRE CWE Description
The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input. This makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables. It should be noted that, despite common perceptions, the use of a good salt with a hash does not sufficiently increase the effort for an attacker who is targeting an individual password, or who has a large amount of computing resources available, such as with cloud-based services or specialized, inexpensive hardware. Offline password cracking can still be effective if the hash function is not expensive to compute; many cryptographic functions are designed to be efficient and can be vulnerable to attacks using massive computing resources, even if the hash is cryptographically strong. The use of a salt only slightly increases the computing requirements for an attacker compared to other strategies such as adaptive hash functions. See CWE-916 for more details.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
If an attacker can gain access to the hashes, then the lack of a salt makes it easier to conduct brute force attacks using techniques such as rainbow tables.
Mitigations (3)
Architecture and DesignUse an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For ex…
Effectiveness: High
Architecture and DesignIf a technique that requires extra computational effort can not be implemented, then for each password that is processed, generate a new random salt using a strong random number generator with unpredictable seeds. Add the salt to the plaintext password before hashing it. When storing the hash, also store the salt. Do not use the same salt for every password.
Effectiveness: Limited
Implementation, Architecture and DesignWhen using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
Examples (2)
In both of these examples, a user is logged in if their given password matches a stored password:
unsigned char *check_passwd(char *plaintext) { ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); //Login if hash matches stored hash if (equal(ctext, secret_password())) { login_user(); } }
Bad · C
String plainText = new String(plainTextIn); MessageDigest encer = MessageDigest.getInstance("SHA"); encer.update(plainTextIn); byte[] digest = password.digest(); //Login if hash matches stored hash if (equal(digest,secret_password())) { login_user(); }
Bad · Java
In this example, a new user provides a new username and password to create an account. The program hashes the new user's password then stores it in a database.
def storePassword(userName,Password): hasher = hashlib.new('md5') hasher.update(Password) hashedPassword = hasher.digest() # UpdateUserLogin returns True on success, False otherwise return updateUserLogin(userName,hashedPassword)
Bad · Python
def storePassword(userName,Password): hasher = hashlib.new('md5',b'SaltGoesHere') hasher.update(Password) hashedPassword = hasher.digest() # UpdateUserLogin returns True on success, False otherwise return updateUserLogin(userName,hashedPassword)
Good · Python
CVE IDTitleCVSSSeverityPublished
CVE-2025-36253 Multiple Vulnerabilities in IBM Concert Software. — Concert 5.9 Medium2026-02-02
CVE-2025-10205 Predictable Salt and Weak Hashing Algorithm — FLXEON 8.8 High2025-09-17
CVE-2025-53884 NeuVector has an insecure password storage vulnerable to rainbow attack — neuvector 5.3 Medium2025-09-17
CVE-2025-27408 Manifest Uses a One-Way Hash without a Salt — manifest 4.8 Medium2025-02-28
CVE-2023-33838 IBM Security Verify Governance information disclosure — Security Verify Governance 4.4 Medium2025-01-29
CVE-2023-1430 FluentCRM - Marketing Automation For WordPress <= 2.8.01 - Insufficient Use of Hash as Authorization Control — FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution 6.5 Medium2023-06-09
CVE-2020-25164 B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus — SpaceCom 6.5 Medium2022-04-14
CVE-2021-21253 Use of a One-Way Hash without a Salt in OnlineVotingSystem — OnlineVotingSystem 5.8 Medium2021-01-21
CVE-2020-16244 APM Classic 安全漏洞 — GE Digital APM Classic 6.7 -2020-09-23

Vulnerabilities classified as CWE-759 (使用未加Salt的单向哈希算法) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.