Lucene search

K
ubuntucveUbuntu.comUB:CVE-2012-2317
HistoryMay 14, 2012 - 12:00 a.m.

CVE-2012-2317

2012-05-1400:00:00
ubuntu.com
ubuntu.com
13

7.2 High

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

55.7%

The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the
php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5
package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04 LTS, and the php5 package
before 5.3.5-1ubuntu7.10 in Ubuntu 11.04, does not properly handle an empty
salt string, which might allow remote attackers to bypass authentication by
leveraging an application that relies on the PHP crypt function to choose a
salt for password hashing.

Bugs

Notes

Author Note
mdeslaur introduced in php_crypt_revamped.patch patch in 5.3.2-1 reproducer in debian bug also fixed in 5.3.3-7+squeeze4
OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchphp5< 5.3.2-1ubuntu4.17UNKNOWN
ubuntu11.04noarchphp5< 5.3.5-1ubuntu7.10UNKNOWN

7.2 High

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

55.7%