CVE-2012-2317

2022-10-0316:15:35

CWE-310

[email protected]

web.nvd.nist.gov

cve-2012-2317

debian

php

crypt

patch

bypass

authentication

remote attackers

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

7.2 High

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

55.8%

JSON

The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5 package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04 LTS, and the php5 package before 5.3.5-1ubuntu7.10 in Ubuntu 11.04, does not properly handle an empty salt string, which might allow remote attackers to bypass authentication by leveraging an application that relies on the PHP crypt function to choose a salt for password hashing.

Affected configurations

NVD

Node

debianphp5-commonRange≤5.3.2-1

debianphp5-commonMatch5.3.3-7\+squeeze4

debiandebian_linux

Node

canonicalphp5Range≤5.3.2-1ubuntu4.16

canonicalphp5Match5.3.2-1ubuntu4.17

canonicalubuntu_linuxMatch10.04-lts

Node

canonicalphp5Range≤5.3.5-1ubuntu7.9

canonicalphp5Match5.3.5-1ubuntu7.10

canonicalubuntu_linuxMatch11.04

CPENameOperatorVersion
debian:php5-commondebian php5-commonle5.3.2-1
debian:php5-commondebian php5-commoneq5.3.3-7+squeeze4
debian:debian_linuxdebian debian linuxeq*