CVE-2024-22892 – OpenSlides 4.0.15 uses a weak hashing algorithm... (How to Fix)

Q: What is the severity of CVE-2024-22892?

CVE-2024-22892 has a CVSS score of 7.5 (HIGH). OpenSlides 4.0.15 uses a weak hashing algorithm to store user passwords, making them vulnerable to offline cracking attacks. This affects all OpenSlides 4.0.15 installations where user accounts exist. Attackers who gain access to the password database can potentially recover plaintext passwords.

📋 TL;DR

OpenSlides 4.0.15 uses a weak hashing algorithm to store user passwords, making them vulnerable to offline cracking attacks. This affects all OpenSlides 4.0.15 installations where user accounts exist. Attackers who gain access to the password database can potentially recover plaintext passwords.

💻 Affected Systems

Products:

OpenSlides

Versions: 4.0.15

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of OpenSlides 4.0.15 are affected regardless of configuration.

📦 What is this software?

Openslides by Openslides

View all CVEs affecting Openslides →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain password database and crack all passwords, gaining unauthorized access to all user accounts including administrative privileges, leading to complete system compromise.

🟠

Likely Case

Attackers with database access can crack weak passwords, gaining access to some user accounts and potentially escalating privileges within the OpenSlides application.

🟢

If Mitigated

With strong password policies and proper access controls, only weak passwords would be crackable, limiting the scope of compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the password database, which typically requires some level of system access first.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.16 or later

Vendor Advisory: https://github.com/OpenSlides/OpenSlides/security/advisories

Restart Required: Yes

Instructions:

1. Backup your OpenSlides installation and database. 2. Update to OpenSlides 4.0.16 or later. 3. Restart the OpenSlides service. 4. Force password resets for all users.

🔧 Temporary Workarounds

Force Password Reset

all

Require all users to change their passwords to generate new hashes with stronger algorithm

🧯 If You Can't Patch

Implement strict password policies requiring complex passwords
Restrict database access and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check OpenSlides version in admin interface or via 'openslides --version' command

Check Version:

openslides --version

Verify Fix Applied:

Verify installation of OpenSlides 4.0.16 or later and confirm password hashes use strong algorithm

📡 Detection & Monitoring

Log Indicators:

Unauthorized database access attempts
Multiple failed login attempts

Network Indicators:

Unusual database connection patterns

SIEM Query:

source="openslides" AND (event="database_access" OR event="failed_login")

📊 Metadata

CVE ID: CVE-2024-22892

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-326

Published: September 25, 2024

Last Updated: March 14, 2025

🔗 References

https://gist.github.com/mdickopp/0cab0d7f91b1f4ea0d326dd976db70e5 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22892, you might also want to check these: