3243 matches found
python-django: User enumeration through timing difference on password hasher work factor upgrade
A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login...
Moderate: Red Hat Security Advisory: python-django security update
An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 6.0 Juno for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, ...
python-django: User enumeration through timing difference on password hasher work factor upgrade
A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login...
rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller
A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing...
rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller
A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing...
Fedora 23 : php-symfony-2.7.7-2.fc23 / php-twig-1.23.1-2.fc23 (2015-0efcb5fbc5)
Twig 1.23.1 2015-11-05 fixed some exception messages which triggered PHP warnings fixed BC on TwigTestNodeTestCase Twig 1.23.0 2015-10-29 - deprecated the possibility to override an extension by registering another one with the same name deprecated TwigExtensionInterface::getGlobals added...
Fedora 22 : php-symfony-2.7.7-2.fc22 / php-twig-1.23.1-2.fc22 (2015-0b89738311)
Twig 1.23.1 2015-11-05 fixed some exception messages which triggered PHP warnings fixed BC on TwigTestNodeTestCase Twig 1.23.0 2015-10-29 - deprecated the possibility to override an extension by registering another one with the same name deprecated TwigExtensionInterface::getGlobals added...
phpMyAdmin 4.0.x < 4.0.10.13 / 4.4.x < 4.4.15.3 / 4.5.x < 4.5.4 Multiple Vulnerabilities (PMASA-2016-1 - PMASA-2016-5)
Binary data 9115.prm...
UBUNTU-CVE-2016-2513
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests...
CVE-2016-2513
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests...
SUSE-SU-2016:0623-1 Security update for rubygem-activesupport-3_2
This update for rubygem-activesupport-32 fixes the following issues: - CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller bsc963329...
SUSE-SU-2016:0618-1 Security update for rubygem-actionpack-3_2
This update for rubygem-actionpack-32 fixes the following issues: - CVE-2016-0751: Object Leak DoS bsc963331 - CVE-2016-0752: Directory traversal and information leak in Action View bsc963332 - CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller bsc963329...
HackerOne: Race Conditions Exist When Accepting Invitations
Hi All, Further to my last two comments on report 118312 and realizing that tokens are being stored in the DB, I realized there is probably a race condition vulnerability which allows invitation tokens to be consumed at least twice depending on the server/database response time. I tested it tonig...
SUSE-SU-2016:0600-1 Security update for rubygem-activesupport-4_1
This update for rubygem-activesupport-41 fixes the following issues: - CVE-2016-0753: Input Validation Circumvention bsc963334 - CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller bsc963329...
phpMyAdmin 4.0.x < 4.0.10.13 / 4.4.x < 4.4.15.3 / 4.5.x < 4.5.4 Multiple Vulnerabilities (PMASA-2016-1 - PMASA-2016-5)
According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.0.10.13, 4.4.x prior to 4.4.15.3, or 4.5.x prior to 4.5.4. It is, therefore, affected by the following vulnerabilities : - A security bypass vulnerability exists due to th...
rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller
A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing...
UBUNTU-CVE-2016-2041
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences...
CVE-2015-7576
The httpbasicauthenticatewith method in actionpack/lib/actioncontroller/metal/httpauthentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a...
UBUNTU-CVE-2015-7576
The httpbasicauthenticatewith method in actionpack/lib/actioncontroller/metal/httpauthentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a...
DEBIAN-CVE-2015-7576
The httpbasicauthenticatewith method in actionpack/lib/actioncontroller/metal/httpauthentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a...