CVE-2013-1895

The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.

Published: Jan 28, 2020
Updated: May 9, 2024
CVE: CVE-2013-1895
GHSA: GHSA-r838-q6jp-58xx
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-307

Affected Software
References

Software	From	Fixed in
python / py-bcrypt	-	0.3
fedoraproject / fedora	17	17.x
fedoraproject / fedora	18	18.x
py-bcrypt	-	0.3

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html
http://www.openwall.com/lists/oss-security/2013/03/26/2
http://www.securityfocus.com/bid/58702
https://exchange.xforce.ibmcloud.com/vulnerabilities/83039

Vulnerability Database

287,717

CVE-2013-1895