5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
51.8%
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial
of service (CPU consumption) because the algorithm’s runtime is
proportional to the square of the length of the password.
Author | Note |
---|---|
seth-arnold | Actually addressing this will likely require every site that is using these password storage formats to make plans for an orderly transition to argon2 or scrypt or similar before making configuration changes. We may mark all of these packages as ‘ignored’ without any further work. |
rodrigo-zaiden | Despite the risks of applying any changes, there are no clues that glibc upstream will get this fixed. But just to make sure, before marking as ignored, I will mark as deferred as of 2022-06-01 so we can revisit it in the future. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | dietlibc | < any | UNKNOWN |
ubuntu | 20.04 | noarch | dietlibc | < any | UNKNOWN |
ubuntu | 22.04 | noarch | dietlibc | < any | UNKNOWN |
ubuntu | 23.10 | noarch | dietlibc | < any | UNKNOWN |
ubuntu | 24.04 | noarch | dietlibc | < any | UNKNOWN |
ubuntu | 16.04 | noarch | dietlibc | < any | UNKNOWN |
ubuntu | 14.04 | noarch | eglibc | < any | UNKNOWN |
ubuntu | 18.04 | noarch | glibc | < any | UNKNOWN |
ubuntu | 20.04 | noarch | glibc | < any | UNKNOWN |
ubuntu | 22.04 | noarch | glibc | < any | UNKNOWN |
akkadia.org/drepper/SHA-crypt.txt
launchpad.net/bugs/cve/CVE-2016-20013
nvd.nist.gov/vuln/detail/CVE-2016-20013
pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/
security-tracker.debian.org/tracker/CVE-2016-20013
twitter.com/solardiz/status/795601240151457793
www.cve.org/CVERecord?id=CVE-2016-20013
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
51.8%