CVE-2013-1895
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-1895
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 0.4-1 |
| debian | bullseye | fixed | 0.4-1 |
| debian | forky | fixed | 0.4-1 |
| debian | sid | fixed | 0.4-1 |
| debian | trixie | fixed | 0.4-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | py-bcrypt | <0.3 | 0.3 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2013-1895
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83039
- https://github.com/advisories/GHSA-r838-q6jp-58xx
- https://github.com/grnet/python-bcrypt
- https://github.com/pypa/advisory-database/tree/main/vulns/py-bcrypt/PYSEC-2020-249.yaml
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html
- http://www.openwall.com/lists/oss-security/2013/03/26/2
- http://www.securityfocus.com/bid/58702
- https://security-tracker.debian.org/tracker/CVE-2013-1895
Verify integrity in audit chain (admin only). AS-IS.