Vulnerability Description
The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5 package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04 LTS, and the php5 package before 5.3.5-1ubuntu7.10 in Ubuntu 11.04, does not properly handle an empty salt string, which might allow remote attackers to bypass authentication by leveraging an application that relies on the PHP crypt function to choose a salt for password hashing.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Php5-Common | <= 5.3.2-1 |
| Debian | Debian Linux | All versions |
| Canonical | Php5 | <= 5.3.2-1ubuntu4.16 |
| Canonical | Ubuntu Linux | 10.04 |
Related Weaknesses (CWE)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581170
- http://www.openwall.com/lists/oss-security/2012/05/04/7
- http://www.openwall.com/lists/oss-security/2012/05/05/2
- http://www.ubuntu.com/usn/USN-1481-1
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581170
- http://www.openwall.com/lists/oss-security/2012/05/04/7
- http://www.openwall.com/lists/oss-security/2012/05/05/2
- http://www.ubuntu.com/usn/USN-1481-1
FAQ
What is CVE-2012-2317?
CVE-2012-2317 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5 package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04 LTS,...
How severe is CVE-2012-2317?
CVE-2012-2317 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2317?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Php5-Common, Debian Debian Linux, Canonical Php5, Canonical Ubuntu Linux.