CVE-2012-2317

The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5 package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04 LTS, and the php5 package before 5.3.5-1ubuntu7.10 in Ubuntu 11.04, does not properly handle an empty salt string, which might allow remote attackers to bypass authentication by leveraging an application that relies on the PHP crypt function to choose a salt for password hashing.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
VendorProductVersion
debianphp5-common
𝑥
≤ 5.3.2-1
debianphp5-common
5.3.3-7\+squeeze4
debiandebian_linux
*
canonicalphp5
𝑥
≤ 5.3.2-1ubuntu4.16
canonicalphp5
5.3.2-1ubuntu4.17
canonicalubuntu_linux
10.04
canonicalphp5
𝑥
≤ 5.3.5-1ubuntu7.9
canonicalphp5
5.3.5-1ubuntu7.10
canonicalubuntu_linux
11.04
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php5
precise
not-affected
oneiric
not-affected
natty
Fixed 5.3.5-1ubuntu7.10
released
lucid
Fixed 5.3.2-1ubuntu4.17
released
hardy
not-affected
Common Weakness Enumeration
References
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581170
http://www.openwall.com/lists/oss-security/2012/05/04/7
http://www.openwall.com/lists/oss-security/2012/05/05/2
http://www.ubuntu.com/usn/USN-1481-1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581170
http://www.openwall.com/lists/oss-security/2012/05/04/7
http://www.openwall.com/lists/oss-security/2012/05/05/2
http://www.ubuntu.com/usn/USN-1481-1