Skip to content

accounts: Hash account number using Salt

Low severity GitHub Reviewed Published Oct 22, 2020 in moov-io/customers • Updated Jan 9, 2023

Package

gomod github.com/moov-io/customers (Go)

Affected versions

< 0.5.0

Patched versions

0.5.0

Description

@alovak found that currently when we build hash of account number we do not "salt" it. Which makes it vulnerable to rainbow table attack.

What did you expect to see?
I expected salt (some random number from configuration) to be used in hash.AccountNumber

I would generate salt per tenant at least (maybe per organization).

References

@adamdecaf adamdecaf published to moov-io/customers Oct 22, 2020
Reviewed May 21, 2021
Published to the GitHub Advisory Database May 24, 2021
Last updated Jan 9, 2023

Severity

Low

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-g636-q5fc-4pr7

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.