RubySec

Providing security resources for the Ruby community

OSVDB-108575 (cap-strap): cap-strap Gem for Ruby Hardcoded Password Crypt Hash Salt Weakness

ADVISORIES

  • OSVDB-108575

GEM

cap-strap

PATCHED VERSIONS

None.

DESCRIPTION

cap-strap Gem for Ruby contains a flaw that is due to the application using a hardcoded default ‘sa’ salt for password encryption. This may allow a local attacker to more easily decrypt passwords.