CVE-2013-1895

HIGH

Python Py-bcrypt < 0.3 - Brute Force

Title source: rule

Description

The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.

References (5)

[Third Party Advisory, Tool Signature] http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html

[Third Party Advisory] http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2013/03/26/2

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/58702

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/83039

Scores

CVSS v3 7.5

EPSS 0.0028

EPSS Percentile 50.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-307

Status published

Affected Products (4)

python/py-bcrypt < 0.3

fedoraproject/fedora

pypi/py-bcrypt < 0.3PyPI

Timeline

Published Jan 28, 2020

Tracked Since Feb 18, 2026