Login Sign Up

CVE-2021-39182

7.5 HIGH

📋 TL;DR

EnroCrypt versions before 1.1.4 use the insecure MD5 hashing algorithm, which can lead to hash collisions and password cracking. This affects developers using EnroCrypt for cryptographic operations, potentially compromising data integrity and authentication security. The vulnerability is particularly dangerous for beginners who may not recognize MD5's weaknesses.

💻 Affected Systems

Products:
  • EnroCrypt
Versions: All versions before 1.1.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using EnroCrypt's hashing functionality with default settings is vulnerable.

📦 What is this software?

Enrocrypt by Enrocrypt Project

View all CVEs affecting Enrocrypt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could forge digital signatures, crack passwords, or create hash collisions to bypass authentication systems, leading to complete system compromise.

🟠

Likely Case

Password hashes could be cracked using rainbow tables or collision attacks, allowing unauthorized access to user accounts or sensitive data.

🟢

If Mitigated

With proper monitoring and limited exposure, the risk is reduced to potential data integrity issues rather than immediate system compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

MD5 vulnerabilities are well-documented and exploitation tools are widely available, though no specific exploit for this implementation is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.4

Vendor Advisory: https://github.com/Morgan-Phoenix/EnroCrypt/security/advisories/GHSA-35m5-8cvj-8783

Restart Required: No

Instructions:

1. Update EnroCrypt to version 1.1.4 or later using pip: 'pip install --upgrade EnroCrypt==1.1.4' 2. Verify the update completed successfully 3. Test affected functionality

🔧 Temporary Workarounds

Remove MD5 function

linux

Manually remove the MD5 hashing function from the hashing.py file to prevent its use

sed -i '/def MD5/,/^def/ {/^def/!d;}' /path/to/hashing.py

🧯 If You Can't Patch

  • Implement additional authentication layers and monitoring for suspicious hash usage
  • Migrate to alternative secure hashing libraries like bcrypt or Argon2

🔍 How to Verify

Check if Vulnerable:

Check EnroCrypt version: 'pip show EnroCrypt' and verify if version is below 1.1.4

Check Version:

pip show EnroCrypt | grep Version

Verify Fix Applied:

Verify version is 1.1.4 or higher and test that MD5 function is no longer available or returns error

📡 Detection & Monitoring

Log Indicators:

  • Failed authentication attempts with MD5 hashes
  • Unusual hash generation patterns

Network Indicators:

  • Traffic patterns indicating hash collision attempts

SIEM Query:

source="application_logs" AND "MD5" AND ("hash" OR "authentication")

📊 Metadata

CVE ID: CVE-2021-39182
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-327
Published: November 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39182, you might also want to check these:

CVE-2024-51478 9.9

This vulnerability in YesWiki allows attackers to recover password reset keys due to weak cryptograp...

Same vulnerability type (CWE-327)
CVE-2021-22738 9.8

This vulnerability in Schneider Electric homeLYnk and spaceLYnk systems allows attackers to brute-fo...

Same vulnerability type (CWE-327)
CVE-2025-69929 9.8

This vulnerability in N3uron Web User Interface v1.21.7-240207.1047 allows remote attackers to escal...

Same vulnerability type (CWE-327)