Lucene search

RedhatCVE-2013-1895

HistoryJan 28, 2020 - 3:15 p.m.

CVE-2013-1895

2020-01-2815:15:14

CWE-307

redhat

web.nvd.nist.gov

py-bcrypt

python

authentication

bypass

cve-2013-1895

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.5

Confidence

High

EPSS

0.016

Percentile

87.6%

JSON

The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.

Affected configurations

Nvd

Vulners

Node

pythonpy-bcryptRange<0.3

Node

fedoraprojectfedoraMatch17

fedoraprojectfedoraMatch18

VendorProductVersionCPE
pythonpy-bcrypt*cpe:2.3:a:python:py-bcrypt:*:*:*:*:*:*:*:*
fedoraprojectfedora17cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
fedoraprojectfedora18cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
python	py-bcrypt	*	cpe:2.3:a:python:py-bcrypt::::::::
fedoraproject	fedora	17	cpe:2.3:o:fedoraproject:fedora:17:::::::*
fedoraproject	fedora	18	cpe:2.3:o:fedoraproject:fedora:18:::::::*

CNA Affected

[
  {
    "product": "py-bcrypt",
    "vendor": "py-bcrypt",
    "versions": [
      {
        "status": "affected",
        "version": "before 0.3"
      }
    ]
  }
]