{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-56516", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-12-26T20:47:25.612Z", "datePublished": "2024-12-30T16:19:47.571Z", "dateUpdated": "2024-12-30T16:48:21.594Z"}, "containers": {"cna": {"title": "free-one-api uses md5 for password storage", "problemTypes": [{"descriptions": [{"cweId": "CWE-328", "lang": "en", "description": "CWE-328: Use of Weak Hash", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/RockChinQ/free-one-api/security/advisories/GHSA-36cc-58vm-wm4h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/RockChinQ/free-one-api/security/advisories/GHSA-36cc-58vm-wm4h"}, {"name": "https://github.com/RockChinQ/free-one-api/blob/4d6ee42ffbb224b95be32c26cabc28d54d01bf78/web/src/main.js#L15", "tags": ["x_refsource_MISC"], "url": "https://github.com/RockChinQ/free-one-api/blob/4d6ee42ffbb224b95be32c26cabc28d54d01bf78/web/src/main.js#L15"}], "affected": [{"vendor": "RockChinQ", "product": "free-one-api", "versions": [{"version": "<= 1.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-30T16:19:47.571Z"}, "descriptions": [{"lang": "en", "value": "free-one-api allows users to access large language model reverse engineering libraries through the standard OpenAI API format. In versions up to and including 1.0.1, MD5 is used to hash passwords before sending them to the backend. MD5 is a cryptographically broken hashing algorithm and is no longer considered secure for password storage or transmission. It is vulnerable to collision attacks and can be easily cracked using modern hardware, exposing user credentials to potential compromise. As of time of publication, a replacement for MD5 has not been committed to the free-one-api GitHub repository."}], "source": {"advisory": "GHSA-36cc-58vm-wm4h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-30T16:48:13.058983Z", "id": "CVE-2024-56516", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-30T16:48:21.594Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-56516", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-30T16:48:13.058983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-30T16:48:18.293Z"}}], "cna": {"title": "free-one-api uses md5 for password storage", "source": {"advisory": "GHSA-36cc-58vm-wm4h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "RockChinQ", "product": "free-one-api", "versions": [{"status": "affected", "version": "<= 1.0.1"}]}], "references": [{"url": "https://github.com/RockChinQ/free-one-api/security/advisories/GHSA-36cc-58vm-wm4h", "name": "https://github.com/RockChinQ/free-one-api/security/advisories/GHSA-36cc-58vm-wm4h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/RockChinQ/free-one-api/blob/4d6ee42ffbb224b95be32c26cabc28d54d01bf78/web/src/main.js#L15", "name": "https://github.com/RockChinQ/free-one-api/blob/4d6ee42ffbb224b95be32c26cabc28d54d01bf78/web/src/main.js#L15", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "free-one-api allows users to access large language model reverse engineering libraries through the standard OpenAI API format. In versions up to and including 1.0.1, MD5 is used to hash passwords before sending them to the backend. MD5 is a cryptographically broken hashing algorithm and is no longer considered secure for password storage or transmission. It is vulnerable to collision attacks and can be easily cracked using modern hardware, exposing user credentials to potential compromise. As of time of publication, a replacement for MD5 has not been committed to the free-one-api GitHub repository."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-328", "description": "CWE-328: Use of Weak Hash"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-30T16:19:47.571Z"}}}, "cveMetadata": {"cveId": "CVE-2024-56516", "state": "PUBLISHED", "dateUpdated": "2024-12-30T16:48:21.594Z", "dateReserved": "2024-12-26T20:47:25.612Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-12-30T16:19:47.571Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "free-one-api allows users to access large language model reverse engineering libraries through the standard OpenAI API format. In versions up to and including 1.0.1, MD5 is used to hash passwords before sending them to the backend. MD5 is a cryptographically broken hashing algorithm and is no longer considered secure for password storage or transmission. It is vulnerable to collision attacks and can be easily cracked using modern hardware, exposing user credentials to potential compromise. As of time of publication, a replacement for MD5 has not been committed to the free-one-api GitHub repository."}, {"lang": "es", "value": "free-one-api permite a los usuarios acceder a grandes librer\u00edas de ingenier\u00eda inversa de modelos de lenguaje a trav\u00e9s del formato est\u00e1ndar de API de OpenAI. En versiones hasta la 1.0.1 incluida, se utiliza MD5 para codificar las contrase\u00f1as antes de enviarlas al backend. MD5 es un algoritmo de codificaci\u00f3n criptogr\u00e1ficamente defectuoso y ya no se considera seguro para el almacenamiento o la transmisi\u00f3n de contrase\u00f1as. Es vulnerable a ataques de colisi\u00f3n y se puede descifrar f\u00e1cilmente con hardware moderno, lo que expone las credenciales de los usuarios a un posible riesgo. Al momento de la publicaci\u00f3n, no se ha enviado un reemplazo para MD5 al repositorio de GitHub de free-one-api."}], "id": "CVE-2024-56516", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-12-30T17:15:09.687", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/RockChinQ/free-one-api/blob/4d6ee42ffbb224b95be32c26cabc28d54d01bf78/web/src/main.js#L15"}, {"source": "security-advisories@github.com", "url": "https://github.com/RockChinQ/free-one-api/security/advisories/GHSA-36cc-58vm-wm4h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-328"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}