CVE-2012-4571
low
CVSS v3
—
CVSS v2
2.1
VIR risk
2.1
Description
Python Keyring 0.9.1 does not securely initialize the cipher when encrypting passwords for CryptedFileKeyring files, which makes it easier for local users to obtain passwords via a brute-force attack.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2012-4571
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 0.9.2-1 |
| debian | bullseye | fixed | 0.9.2-1 |
| debian | forky | fixed | 0.9.2-1 |
| debian | sid | fixed | 0.9.2-1 |
| debian | trixie | fixed | 0.9.2-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | keyring | <0.9.2 | 0.9.2 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| python | keyring | 0.9.1 | |
References
- http://pypi.python.org/pypi/keyring
- http://www.openwall.com/lists/oss-security/2012/10/31/8
- http://www.ubuntu.com/usn/USN-1634-1
- https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845
- https://nvd.nist.gov/vuln/detail/CVE-2012-4571
- https://github.com/jaraco/keyring/commit/162f2ed0e39e16d561732b9fad8af6cd2341d7bd
- https://github.com/jaraco/keyring/commit/56272d908ba7a3fe4ebb6d6e87a7cc569f4726ac
- https://github.com/jaraco/keyring/commit/a76942672f6ac85a88bd9b9ed31fd133119b7702
- https://github.com/jaraco/keyring/commit/cbf509b0386c3063d8b2879ce72d78ac18023f72
- https://github.com/jaraco/keyring/commit/cc1ead78d1e3fab9fa8bb0b4bb334cb82d35db52
- https://github.com/jaraco/keyring
- https://github.com/pypa/advisory-database/tree/main/vulns/keyring/PYSEC-2012-8.yaml
- https://security-tracker.debian.org/tracker/CVE-2012-4571
CWEs
CWE-310
Verify integrity in audit chain (admin only). AS-IS.