Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2011-2483

Published: 25/08/2011 Updated: 23/04/2024
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Php

Vulnerability Summary

crypt_blowfish prior to 1.1, as used in PHP prior to 5.3.7 on certain platforms, PostgreSQL prior to 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent malicious users to determine a cleartext password by leveraging knowledge of a password hash.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

php php

postgresql postgresql

openwall crypt blowfish

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash
Debian Bug report logs - #631283 CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash Package: php5-suhosin; Maintainer for php5-suhosin is (unknown); Reported by: Luciano Bello <luciano@debianorg> Date: Wed, 22 Jun 2011 14:51:06 UTC Severity: serious Tags: sec ...
Ubuntu Security Notice: postgresql-8.3, postgresql-8.4 vulnerability
PostgreSQL incorrectly handled blowfish passwords ...
Ubuntu Security Notice: php5 vulnerabilities
Several security issues were fixed in PHP ...
Debian Security Advisories: DSA-2340-1 postgresql-8.3, postgresql-8.4, postgresql-9.0 -- weak password hashing
magnum discovered that the blowfish password hashing used amongst others in PostgreSQL contained a weakness that would give passwords with 8 bit characters the same hash as weaker equivalents For the oldstable distribution (lenny), this problem has been fixed in postgresql-83 version 8316-0lenny1 For the stable distribution (squeeze), this pro ...
Debian Security Advisories: DSA-2399-2 php5 -- several vulnerabilities
Several vulnerabilities have been discovered in PHP, the web scripting language The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2011-1938 The UNIX socket handling allowed attackers to trigger a buffer overflow via a long path name CVE-2011-2483 The crypt_blowfish function did not properly handle 8-bit ...
Amazon Linux AMI: ALAS-2011-012
A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length This made br ...
Amazon Linux AMI: ALAS-2011-007
PHP before 537 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related ...

Github Repositories

https://github.com/SaltwaterC/PasswordHash2

Portable password hashing framework for PHP. Uses the bcrypt and the SHA2 crypt() alternative schemes.

About Portable password hashing framework for PHP Originally inspired by phpass v03, hence the name PasswordHash2 However, it resembles none of the phpass framework If the crypt() does not implement the desired scheme, a pure PHP implementation is available My proposed SHA2 schemes are, well, proposed Unless they don't gain some traction, you won't see them impl

References

CWE-310http://www.openwall.com/crypt/http://www.php.net/archive/2011.php#id2011-08-18-1http://www.securityfocus.com/bid/49241http://www.php.net/ChangeLog-5.php#5.3.7http://php.net/security/crypt_blowfishhttp://freshmeat.net/projects/crypt_blowfishhttp://www.redhat.com/support/errata/RHSA-2011-1378.htmlhttp://www.postgresql.org/docs/8.4/static/release-8-4-9.htmlhttp://www.redhat.com/support/errata/RHSA-2011-1377.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-08/msg00015.htmlhttp://www.ubuntu.com/usn/USN-1229-1http://www.redhat.com/support/errata/RHSA-2011-1423.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2011:165http://www.mandriva.com/security/advisories?name=MDVSA-2011:180http://www.mandriva.com/security/advisories?name=MDVSA-2011:179http://www.mandriva.com/security/advisories?name=MDVSA-2011:178http://www.debian.org/security/2011/dsa-2340http://support.apple.com/kb/HT5130http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.htmlhttp://www.debian.org/security/2012/dsa-2399http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705https://exchange.xforce.ibmcloud.com/vulnerabilities/69319https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631283https://usn.ubuntu.com/1229-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-48654CVE-2024-2757authentication bypassCVE-2024-3194CVE-2024-33640CVE-2024-21111dosinsecure direct object referenceCVE-2024-21345
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook