CVE-2013-1895: Improper Restriction of Excessive Authentication Attempts in py-bcrypt

October 12, 2021 (updated October 21, 2024)

The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.

References

exchange.xforce.ibmcloud.com/vulnerabilities/83039
github.com/advisories/GHSA-r838-q6jp-58xx
github.com/grnet/python-bcrypt
github.com/pypa/advisory-database/tree/main/vulns/py-bcrypt/PYSEC-2020-249.yaml
nvd.nist.gov/vuln/detail/CVE-2013-1895

Code Behaviors & Features

Detect and mitigate CVE-2013-1895 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →