National Vulnerability Database (NVD) National Vulnerability Database (CVE-2011-2483)

National Cyber Awareness System

Vulnerability Summary for CVE-2011-2483

Original release date:08/25/2011

Last revised:02/09/2012

Source: US-CERT/NIST

Overview

crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: http://www.openwall.com/crypt/

Type: Patch Information

Hyperlink:http://www.openwall.com/crypt/

External Source: XF

Name: php-cryptblowfish-info-disclosure(69319)

Hyperlink:http://xforce.iss.net/xforce/xfdb/69319

External Source: UBUNTU

Name: USN-1229-1

Hyperlink:http://www.ubuntu.com/usn/USN-1229-1

External Source: BID

Name: 49241

Hyperlink:http://www.securityfocus.com/bid/49241

External Source: REDHAT

Name: RHSA-2011:1423

Hyperlink:http://www.redhat.com/support/errata/RHSA-2011-1423.html

External Source: REDHAT

Name: RHSA-2011:1378

Hyperlink:http://www.redhat.com/support/errata/RHSA-2011-1378.html

External Source: REDHAT

Name: RHSA-2011:1377

Hyperlink:http://www.redhat.com/support/errata/RHSA-2011-1377.html

External Source: CONFIRM

Name: http://www.postgresql.org/docs/8.4/static/release-8-4-9.html

Hyperlink:http://www.postgresql.org/docs/8.4/static/release-8-4-9.html

External Source: CONFIRM

Name: http://www.php.net/ChangeLog-5.php#5.3.7

Hyperlink:http://www.php.net/ChangeLog-5.php#5.3.7

External Source: CONFIRM

Name: http://www.php.net/archive/2011.php#id2011-08-18-1

Hyperlink:http://www.php.net/archive/2011.php#id2011-08-18-1

External Source: MANDRIVA

Name: MDVSA-2011:180

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2011:180

External Source: MANDRIVA

Name: MDVSA-2011:179

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2011:179

External Source: MANDRIVA

Name: MDVSA-2011:178

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2011:178

External Source: MANDRIVA

Name: MDVSA-2011:165

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2011:165

External Source: DEBIAN

Name: DSA-2399

Hyperlink:http://www.debian.org/security/2012/dsa-2399

External Source: DEBIAN

Name: DSA-2340

Hyperlink:http://www.debian.org/security/2011/dsa-2340

External Source: CONFIRM

Name: http://support.apple.com/kb/HT5130

Hyperlink:http://support.apple.com/kb/HT5130

External Source: CONFIRM

Name: http://php.net/security/crypt_blowfish

Hyperlink:http://php.net/security/crypt_blowfish

External Source: SUSE

Name: SUSE-SA:2011:035

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00015.html

External Source: APPLE

Name: APPLE-SA-2012-02-01-1

Hyperlink:http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

External Source: MISC

Name: http://freshmeat.net/projects/crypt_blowfish

Hyperlink:http://freshmeat.net/projects/crypt_blowfish

Vulnerable software and versions

Configuration 1

* cpe:/a:solar_designer:crypt_blowfish:0.4.6

* cpe:/a:solar_designer:crypt_blowfish:0.4.5

* cpe:/a:solar_designer:crypt_blowfish:0.4.4

* cpe:/a:solar_designer:crypt_blowfish:0.4.3

* cpe:/a:solar_designer:crypt_blowfish:0.4.2

* cpe:/a:solar_designer:crypt_blowfish:0.4.1

* cpe:/a:solar_designer:crypt_blowfish:0.4

* cpe:/a:solar_designer:crypt_blowfish:0.3

* cpe:/a:solar_designer:crypt_blowfish:0.2

* cpe:/a:php:php:4.3.10

* cpe:/a:php:php:4.3.1

* cpe:/a:php:php:4.3.2

* cpe:/a:php:php:4.3.11

* cpe:/a:php:php:4.3.4

* cpe:/a:php:php:4.3.3

* cpe:/a:php:php:4.3.6

* cpe:/a:php:php:4.3.5

* cpe:/a:php:php:4.2.1

* cpe:/a:php:php:4.2.0

* cpe:/a:php:php:4.2.3

* cpe:/a:php:php:4.2.2

* cpe:/a:php:php:4.4.5

* cpe:/a:php:php:4.4.6

* cpe:/a:php:php:4.4.7

* cpe:/a:php:php:5.0.0

* cpe:/a:php:php:5.0.0:beta1

* cpe:/a:php:php:5.2.5

* cpe:/a:php:php:5.2.11

* cpe:/a:php:php:4.3.7

* cpe:/a:php:php:4.3.8

* cpe:/a:php:php:4.3.9

* cpe:/a:php:php:5.2.8

* cpe:/a:php:php:5.2.6

* cpe:/a:php:php:4.4.0

* cpe:/a:php:php:4.4.1

* cpe:/a:php:php:4.4.2

* cpe:/a:php:php:4.4.3

* cpe:/a:php:php:4.4.4

* cpe:/a:php:php:5.0.5

* cpe:/a:php:php:5.0.4

* cpe:/a:php:php:5.2.9

* cpe:/a:php:php:5.0.3

* cpe:/a:php:php:5.1.3

* cpe:/a:php:php:5.1.2

* cpe:/a:php:php:5.1.1

* cpe:/a:php:php:5.1.0

* cpe:/a:php:php:5.0.0:rc1

* cpe:/a:php:php:5.0.0:beta4

* cpe:/a:php:php:5.0.0:beta3

* cpe:/a:php:php:5.0.0:beta2

* cpe:/a:php:php:5.0.2

* cpe:/a:php:php:5.0.1

* cpe:/a:php:php:5.0.0:rc3

* cpe:/a:php:php:5.0.0:rc2

* cpe:/a:php:php:5.2.12

* cpe:/a:php:php:5.2.13

* cpe:/a:php:php:5.1.6

* cpe:/a:php:php:5.2.0

* cpe:/a:php:php:5.1.4

* cpe:/a:php:php:5.1.5

* cpe:/a:php:php:5.2.3

* cpe:/a:php:php:5.2.1

* cpe:/a:php:php:5.2.2

* cpe:/a:php:php:1.0

* cpe:/a:php:php:2.0b10

* cpe:/a:php:php:4.4.8

* cpe:/a:php:php:2.0

* cpe:/a:php:php:4.4.9

* cpe:/a:php:php:5.2.10

* cpe:/a:php:php:5.2.4

* cpe:/a:php:php:4.3.0

* cpe:/a:php:php:5.3.0

* cpe:/a:php:php:3.0.11

* cpe:/a:php:php:3.0.10

* cpe:/a:php:php:3.0.13

* cpe:/a:php:php:3.0.12

* cpe:/a:php:php:3.0.1

* cpe:/a:php:php:3.0

* cpe:/a:php:php:3.0.2

* cpe:/a:php:php:3.0.18

* cpe:/a:php:php:3.0.4

* cpe:/a:php:php:3.0.3

* cpe:/a:php:php:3.0.15

* cpe:/a:php:php:3.0.14

* cpe:/a:php:php:3.0.17

* cpe:/a:php:php:3.0.16

* cpe:/a:php:php:4.0:beta1

* cpe:/a:php:php:4.0:beta2

* cpe:/a:php:php:3.0.9

* cpe:/a:php:php:3.0.7

* cpe:/a:php:php:3.0.8

* cpe:/a:php:php:3.0.5

* cpe:/a:php:php:3.0.6

* cpe:/a:php:php:4.0.1

* cpe:/a:php:php:4.0.0

* cpe:/a:php:php:4.0:beta_4_patch1

* cpe:/a:php:php:4.0:beta3

* cpe:/a:php:php:4.0:beta4

* cpe:/a:php:php:4.0.6

* cpe:/a:php:php:4.0.5

* cpe:/a:php:php:4.0.4

* cpe:/a:php:php:4.0.3

* cpe:/a:php:php:4.0.2

* cpe:/a:php:php:4.1.2

* cpe:/a:php:php:4.1.1

* cpe:/a:php:php:4.1.0

* cpe:/a:php:php:5.2.14

* cpe:/a:php:php:4.0.7

* cpe:/a:php:php:5.3.1

* cpe:/a:php:php:5.3.2

* cpe:/a:php:php:5.3.3

* cpe:/a:php:php:5.3.4

* cpe:/a:php:php:5.3.5

* cpe:/a:php:php:5.3.6 and previous versions

* cpe:/a:solar_designer:crypt_blowfish:0.4.7 and previous versions

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Cryptographic Issues (CWE-310)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483