CVE-2011-2483
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.0
Description
crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 0 |
| sid | Fixed | 0 |
| forky | Fixed | 0 |
| bullseye | Fixed | 0 |
| bookworm | Fixed | 0 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| php | php | {"endExcluding":"5.3.7"} | 5.3.7 |
| postgresql | postgresql | {"startIncluding":"8.2.0","endExcluding":"8.2.22"} | 8.2.22 |
| openwall | crypt_blowfish | {"endExcluding":"1.1"} | 1.1 |
| postgresql | postgresql | {"startIncluding":"8.3.0","endExcluding":"8.3.16"} | 8.3.16 |
| postgresql | postgresql | {"startIncluding":"8.4.0","endExcluding":"8.4.9"} | 8.4.9 |
| postgresql | postgresql | {"startIncluding":"9.0.0","endExcluding":"9.0.5"} | 9.0.5 |
References
- http://freshmeat.net/projects/crypt_blowfish
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00015.html
- http://php.net/security/crypt_blowfish
- http://support.apple.com/kb/HT5130
- http://www.debian.org/security/2011/dsa-2340
- http://www.debian.org/security/2012/dsa-2399
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:165
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:178
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:179
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:180
- http://www.openwall.com/crypt/
- http://www.php.net/ChangeLog-5.php#5.3.7
- http://www.php.net/archive/2011.php#id2011-08-18-1
- http://www.postgresql.org/docs/8.4/static/release-8-4-9.html
- http://www.redhat.com/support/errata/RHSA-2011-1377.html
- http://www.redhat.com/support/errata/RHSA-2011-1378.html
- http://www.redhat.com/support/errata/RHSA-2011-1423.html
- http://www.securityfocus.com/bid/49241
- http://www.ubuntu.com/usn/USN-1229-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69319
- https://security-tracker.debian.org/tracker/CVE-2011-2483
CWEs
CWE-310
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.