CVE-2013-1895 – py-bcrypt

Package

Manager: pip
Name: py-bcrypt
Vulnerable Version: >=0 <0.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00279 pctl0.50871

Details

Improper Restriction of Excessive Authentication Attempts in py-bcrypt The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.

Metadata

Created: 2021-10-12T16:31:22Z
Modified: 2024-10-21T20:06:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-r838-q6jp-58xx/GHSA-r838-q6jp-58xx.json
CWE IDs: ["CWE-307"]
Alternative ID: GHSA-r838-q6jp-58xx
Finding: F053
Auto approve: 1