CVE-2011-2483

crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
phpphp
𝑥
< 5.3.7
postgresqlpostgresql
8.2.0 ≤
𝑥
< 8.2.22
postgresqlpostgresql
8.3.0 ≤
𝑥
< 8.3.16
postgresqlpostgresql
8.4.0 ≤
𝑥
< 8.4.9
postgresqlpostgresql
9.0.0 ≤
𝑥
< 9.0.5
openwallcrypt_blowfish
𝑥
< 1.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcrypt-eksblowfish-perl
bullseye
0.009-2
fixed
squeeze
no-dsa
sid
0.009-3
fixed
trixie
0.009-3
fixed
bookworm
0.009-3
fixed
libxcrypt
bullseye
1:4.4.18-4
fixed
squeeze
no-dsa
bookworm
1:4.4.33-2
fixed
sid
1:4.4.36-5
fixed
trixie
1:4.4.36-5
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
john
vivid
not-affected
utopic
not-affected
trusty
dne
saucy
not-affected
raring
not-affected
quantal
not-affected
precise
not-affected
oneiric
not-affected
natty
ignored
maverick
ignored
lucid
ignored
hardy
ignored
libcrypt-eksblowfish-perl
vivid
not-affected
utopic
not-affected
trusty
dne
saucy
not-affected
raring
not-affected
quantal
not-affected
precise
not-affected
oneiric
not-affected
natty
not-affected
maverick
not-affected
lucid
not-affected
hardy
not-affected
php5
vivid
not-affected
utopic
not-affected
trusty
not-affected
saucy
not-affected
raring
not-affected
quantal
not-affected
precise
not-affected
oneiric
not-affected
natty
Fixed 5.3.5-1ubuntu7.3
released
maverick
Fixed 5.3.3-1ubuntu9.6
released
lucid
Fixed 5.3.2-1ubuntu4.10
released
hardy
Fixed 5.2.4-2ubuntu5.18
released
postgresql-8.2
vivid
dne
utopic
dne
trusty
dne
saucy
dne
raring
dne
quantal
dne
precise
dne
oneiric
dne
natty
dne
maverick
dne
lucid
dne
hardy
ignored
postgresql-8.3
vivid
dne
utopic
dne
trusty
dne
saucy
dne
raring
dne
quantal
dne
precise
dne
oneiric
dne
natty
dne
maverick
dne
lucid
dne
hardy
Fixed 8.3.16-0ubuntu0.8.04
released
postgresql-8.4
vivid
dne
utopic
dne
trusty
dne
saucy
dne
raring
dne
quantal
dne
precise
not-affected
oneiric
ignored
natty
Fixed 8.4.9-0ubuntu0.11.04
released
maverick
Fixed 8.4.9-0ubuntu0.10.10
released
lucid
Fixed 8.4.9-0ubuntu0.10.04
released
hardy
dne
postgresql-9.1
vivid
dne
utopic
dne
trusty
dne
saucy
not-affected
raring
not-affected
quantal
not-affected
precise
not-affected
oneiric
not-affected
natty
dne
maverick
dne
lucid
dne
hardy
dne
Common Weakness Enumeration
References
http://freshmeat.net/projects/crypt_blowfish
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00015.html
http://php.net/security/crypt_blowfish
http://support.apple.com/kb/HT5130
http://www.debian.org/security/2011/dsa-2340
http://www.debian.org/security/2012/dsa-2399
http://www.mandriva.com/security/advisories?name=MDVSA-2011:165
http://www.mandriva.com/security/advisories?name=MDVSA-2011:178
http://www.mandriva.com/security/advisories?name=MDVSA-2011:179
http://www.mandriva.com/security/advisories?name=MDVSA-2011:180
http://www.openwall.com/crypt/
http://www.php.net/ChangeLog-5.php#5.3.7
http://www.php.net/archive/2011.php#id2011-08-18-1
http://www.postgresql.org/docs/8.4/static/release-8-4-9.html
http://www.redhat.com/support/errata/RHSA-2011-1377.html
http://www.redhat.com/support/errata/RHSA-2011-1378.html
http://www.redhat.com/support/errata/RHSA-2011-1423.html
http://www.securityfocus.com/bid/49241
http://www.ubuntu.com/usn/USN-1229-1
https://exchange.xforce.ibmcloud.com/vulnerabilities/69319
http://freshmeat.net/projects/crypt_blowfish
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00015.html
http://php.net/security/crypt_blowfish
http://support.apple.com/kb/HT5130
http://www.debian.org/security/2011/dsa-2340
http://www.debian.org/security/2012/dsa-2399
http://www.mandriva.com/security/advisories?name=MDVSA-2011:165
http://www.mandriva.com/security/advisories?name=MDVSA-2011:178
http://www.mandriva.com/security/advisories?name=MDVSA-2011:179
http://www.mandriva.com/security/advisories?name=MDVSA-2011:180
http://www.openwall.com/crypt/
http://www.php.net/ChangeLog-5.php#5.3.7
http://www.php.net/archive/2011.php#id2011-08-18-1
http://www.postgresql.org/docs/8.4/static/release-8-4-9.html
http://www.redhat.com/support/errata/RHSA-2011-1377.html
http://www.redhat.com/support/errata/RHSA-2011-1378.html
http://www.redhat.com/support/errata/RHSA-2011-1423.html
http://www.securityfocus.com/bid/49241
http://www.ubuntu.com/usn/USN-1229-1
https://exchange.xforce.ibmcloud.com/vulnerabilities/69319