GHSA-f3wp-xpv2-6vmg: silverstripe/framework password encryption salt not updated
When a user changes their password, the internal salt used for hashing their password is not updated.
Although this is not considered a security vulnerability, this behaviour has been improved to ensure the salt is reset on change of password.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-008-1.yaml
- github.com/advisories/GHSA-f3wp-xpv2-6vmg
- github.com/silverstripe/silverstripe-framework
- github.com/silverstripe/silverstripe-framework/commit/08384bb4d6b98c44388ffb4727c317ed14fe3c81
- github.com/silverstripe/silverstripe-framework/commit/298f61521c55b07e5c898a92264dbe111735a87a
- github.com/silverstripe/silverstripe-framework/commit/dc47f7ec9adf67a3f31887467de5b110e8e5b285
- github.com/silverstripe/silverstripe-framework/commit/f85dea2e6d5b303abd43b5e5efc07c66c8d2acf4
- www.silverstripe.org/download/security-releases/ss-2016-008
Code Behaviors & Features
Detect and mitigate GHSA-f3wp-xpv2-6vmg with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →