Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FreshRSS has an authentication bypass due to truncated bcrypt hash [edge branch]
Vulnerability Description
FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. password_verify() is currently being called with a constructed string (SHA-256 nonce + part of a bcrypt hash) instead of the raw user password. Due to bcrypt’s 72-byte input truncation, this causes password verification to succeed even when the user enters an incorrect password. This vulnerability is fixed in 1.27.2-dev (476e57b). The issue was only present in the edge branch and never in a stable release.
CVSS Information
N/A
Vulnerability Type
认证机制不恰当
Vulnerability Title
FreshRSS 授权问题漏洞
Vulnerability Description
FreshRSS是FreshRSS开源的一个免费的、可自行托管的 RSS 聚合器。 FreshRSS存在授权问题漏洞,该漏洞源于密码验证逻辑缺陷,可能导致即使用户输入错误密码,验证也会成功。
CVSS Information
N/A
Vulnerability Type
N/A