GHSA-r838-q6jp-58xx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r838-q6jp-58xx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-r838-q6jp-58xx/GHSA-r838-q6jp-58xx.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-r838-q6jp-58xx
- Aliases
- Published
- 2021-10-12T16:31:22Z
- Modified
- 2024-10-21T20:24:59.639300Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Improper Restriction of Excessive Authentication Attempts in py-bcrypt
- Details
-
The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.
- Database specific
{ "nvd_published_at": "2020-01-28T15:15:00Z", "cwe_ids": [ "CWE-307" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-10-08T23:00:17Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2013-1895
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83039
- https://github.com/advisories/GHSA-r838-q6jp-58xx
- https://github.com/grnet/python-bcrypt
- https://github.com/pypa/advisory-database/tree/main/vulns/py-bcrypt/PYSEC-2020-249.yaml
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html
- http://www.openwall.com/lists/oss-security/2013/03/26/2
Affected packages
PyPI / py-bcrypt
Package
- Name
- py-bcrypt
- View open source insights on deps.dev
- Purl
- pkg:pypi/py-bcrypt