Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yODM4LXE2anAtNTh4eM0WdA
Improper Restriction of Excessive Authentication Attempts in py-bcrypt
The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.
Permalink: https://github.com/advisories/GHSA-r838-q6jp-58xxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yODM4LXE2anAtNTh4eM0WdA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-r838-q6jp-58xx, CVE-2013-1895
References:
- https://nvd.nist.gov/vuln/detail/CVE-2013-1895
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83039
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html
- http://www.openwall.com/lists/oss-security/2013/03/26/2
- http://www.securityfocus.com/bid/58702
- https://github.com/advisories/GHSA-r838-q6jp-58xx
Affected Packages
pypi:py-bcrypt
Dependent packages: 6Dependent repositories: 1,213
Downloads: 54,676 last month
Affected Version Ranges: < 0.3
Fixed in: 0.3
All affected versions:
All unaffected versions: