CVE-2013-1895
First published: Tue Jan 28 2020(Updated: )
The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Python Py-bcrypt | <0.3 | |
| Fedoraproject Fedora | =17 | |
| Fedoraproject Fedora | =18 | |
| pip/py-bcrypt | <0.3 | 0.3 |
| <0.3 | ||
| =17 | ||
| =18 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html
- http://www.openwall.com/lists/oss-security/2013/03/26/2
- http://www.securityfocus.com/bid/58702
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83039
- https://nvd.nist.gov/vuln/detail/CVE-2013-1895
- https://github.com/advisories/GHSA-r838-q6jp-58xx (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/py-bcrypt/PYSEC-2020-249.yaml
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/description
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r838-q6jp-58xx
- alias/CVE-2013-1895
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/severity
- agent/author
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- vendor/python
- canonical/python py-bcrypt
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/17
- version/fedoraproject fedora/18
- package-manager/pip