Security Annoucement - Disclosure of Admin bcrypt Hash


=plg_authenticate_admin= did expose the bcrypt hash of the password when accessing a public endpoint part of Filestash core. This plugin is installed in the AGPL release by default. A potential threat actor can use this vulnerability to get the admin bcrypt hash and perform brute force type of attacks to find the password, circumventing the rate limiting that is currently in place to prevent this type of attack in the first place.

We have gone through all the opt in telemetry data and haven’t seen any exploit of this issue in the wild.


The issue was fix in 2 ways:


The vulnerability was reported by: Daniel Abeles, Gal Goldshtein Thank you to them