EspoCRM Password Hash Sorting Vulnerability Allowing Hash Disclosure

A vulnerability in EspoCRM prior to version 9.0.7 allows users to be sorted by their password hash. This sorting can lead to the disclosure of password hashes of other users by making assumptions based on the sorted order. Although the Bcrypt hashing algorithm used for passwords adds a layer of security by incorporating a random salt, an attacker who knows their own password hash could potentially exploit this flaw. By changing their password and repeating the sorting process, they could reveal the hashes of other users. This vulnerability is particularly concerning because, while the user table currently only contains passwords and API keys, future versions of EspoCRM might include additional sensitive information.

Impact

Exploitation of this vulnerability could lead to the disclosure of password hashes, allowing an attacker to recover passwords in plaintext and gain unauthorized access to user accounts.

Reproduction

To reproduce this vulnerability, sort users by the password column. The sorting function will return users in a different order based on their password hashes, allowing for the comparison of hash values. If an attacker knows their own password hash, they can use this information to infer the hashes of other users and potentially recover their passwords.

Remediation

Users can update to EspoCRM version 9.0.7 or later to address this vulnerability.