Ubuntu.comUB:CVE-2012-2317CVE-2012-2317
7.2 High
AI Score
Confidence
Low
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
55.0%
The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the
php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5
package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04 LTS, and the php5 package
before 5.3.5-1ubuntu7.10 in Ubuntu 11.04, does not properly handle an empty
salt string, which might allow remote attackers to bypass authentication by
leveraging an application that relies on the PHP crypt function to choose a
salt for password hashing.
Bugs
- <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581170>
- <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572601 (introduced by this bug)>
Notes
| Author | Note |
|---|---|
| mdeslaur | introduced in php_crypt_revamped.patch patch in 5.3.2-1 reproducer in debian bug also fixed in 5.3.3-7+squeeze4 |
Related
7.2 High
AI Score
Confidence
Low
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
55.0%