CVE-2013-1895
First published: Tue Jan 28 2020(Updated: )
The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/py-bcrypt | <0.3 | 0.3 |
| Python py-bcrypt | <0.3 | |
| Fedora | =17 | |
| Fedora | =18 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html
- http://www.openwall.com/lists/oss-security/2013/03/26/2
- http://www.securityfocus.com/bid/58702
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83039
- https://nvd.nist.gov/vuln/detail/CVE-2013-1895
- https://github.com/advisories/GHSA-r838-q6jp-58xx (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/py-bcrypt/PYSEC-2020-249.yaml
Frequently Asked Questions
What is the severity of CVE-2013-1895?
CVE-2013-1895 has a medium severity due to its potential to allow attackers to bypass authentication.
How do I fix CVE-2013-1895?
To fix CVE-2013-1895, upgrade the py-bcrypt module to version 0.3 or later.
Which versions of py-bcrypt are affected by CVE-2013-1895?
CVE-2013-1895 affects all versions of py-bcrypt prior to 0.3.
Can CVE-2013-1895 lead to unauthorized access?
Yes, CVE-2013-1895 can lead to unauthorized access through multiple concurrent authentication requests.
What software systems are impacted by CVE-2013-1895?
CVE-2013-1895 impacts systems using py-bcrypt versions below 0.3, including specific Fedora releases.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/description
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r838-q6jp-58xx
- alias/CVE-2013-1895
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/severity
- agent/author
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/pip
- vendor/python
- canonical/python py-bcrypt
- vendor/fedoraproject
- canonical/fedora
- version/fedora/17
- version/fedora/18