CVE-2013-1895
HIGHpy-bcrypt < 0.3 - Authentication Bypass via Concurrent Memory Access
Title source: llmDescription
The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2013/03/26/2
Third Party Advisory x_refsource_misc
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html
Third Party Advisory, Tool Signature x_refsource_misc
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/bid/58702
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/83039
Scores
CVSS v3
7.5
EPSS
0.0118
EPSS Percentile
79.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-307
Status
published
Products (4)
fedoraproject/fedora
17
fedoraproject/fedora
18
pypi/py-bcrypt
0 - 0.3PyPI
python/py-bcrypt
< 0.3
Published
Jan 28, 2020
Tracked Since
Feb 18, 2026