CVE-2013-1895

The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
VendorProductVersion
pythonpy-bcrypt
𝑥
< 0.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-bcrypt
bullseye
3.1.7-4
fixed
squeeze
not-affected
bookworm
3.2.2-1
fixed
sid
4.2.0-2
fixed
trixie
4.2.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-bcrypt
trusty
dne
saucy
ignored
raring
ignored
quantal
ignored
precise
not-affected
oneiric
ignored
lucid
not-affected
hardy
dne
Common Weakness Enumeration
References
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html
http://www.openwall.com/lists/oss-security/2013/03/26/2
http://www.securityfocus.com/bid/58702
https://exchange.xforce.ibmcloud.com/vulnerabilities/83039
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html
http://www.openwall.com/lists/oss-security/2013/03/26/2
http://www.securityfocus.com/bid/58702
https://exchange.xforce.ibmcloud.com/vulnerabilities/83039