Incomplete Fix for Password Hash Algorithm Vulnerability in Best Practical Solutions RT 3.x and 4.x

Incomplete Fix for Password Hash Algorithm Vulnerability in Best Practical Solutions RT 3.x and 4.x

CVE-2011-2082 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for disabled user accounts, which makes it easier for context-dependent attackers to determine cleartext passwords, and possibly use these passwords after accounts are re-enabled, via a brute-force attack on the database. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-0009.

Learn more about our User Device Pen Test.