Vulnerability Description
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sha256Crypt Project | Sha256Crypt | <= 0.6 |
| Sha512Crypt Project | Sha512Crypt | <= 0.6 |
Related Weaknesses (CWE)
References
- https://akkadia.org/drepper/SHA-crypt.txtExploitThird Party Advisory
- https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerouExploitThird Party Advisory
- https://twitter.com/solardiz/status/795601240151457793Third Party Advisory
- https://akkadia.org/drepper/SHA-crypt.txtExploitThird Party Advisory
- https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerouExploitThird Party Advisory
- https://twitter.com/solardiz/status/795601240151457793Third Party Advisory
FAQ
What is CVE-2016-20013?
CVE-2016-20013 is a vulnerability with a CVSS score of 7.5 (HIGH). sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
How severe is CVE-2016-20013?
CVE-2016-20013 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-20013?
Check the references section above for vendor advisories and patch information. Affected products include: Sha256Crypt Project Sha256Crypt, Sha512Crypt Project Sha512Crypt.