CVE-2015-0886 - OpenCVE

Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mindrot	Jbcrypt
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:mindrot:jbcrypt:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:20:::::::*
	cpe:2.3:o:fedoraproject:fedora:21:::::::*
	cpe:2.3:o:fedoraproject:fedora:22:::::::*

References

Link	Resource
http://jvn.jp/en/jp/JVN77718330/index.html	Third Party Advisory Vendor Advisory
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000033	Third Party Advisory VDB Entry Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151496.html	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151786.html	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151797.html	Third Party Advisory
http://www.mindrot.org/projects/jBCrypt/news/rel04.html	Release Notes Vendor Advisory
https://bugzilla.mindrot.org/show_bug.cgi?id=2097	Issue Tracking Vendor Advisory
https://lists.apache.org/thread.html/rbd23e3ac8113b4da0a025c0e45170b6ec317383a1cf06090c2c717aa%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/rd5c2256b8dc9935e4bb5e9be90adce58408054bb42523730a40c5548%40%3Ccommits.cassandra.apache.org%3E
https://lists.apache.org/thread.html/re330cfe9e5d84e3f7da8ace23ec32f38cb3fbd328bf177badd7ad942%40%3Ccommits.cassandra.apache.org%3E

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jpcert

Published: 2015-02-28T02:00:00

Updated: 2021-09-24T12:06:17

Reserved: 2015-01-08T00:00:00

Link: CVE-2015-0886

JSON object: View

NVD Information

Status : Modified

Published: 2015-02-28T02:59:35.987

Modified: 2023-11-07T02:23:35.823

Link: CVE-2015-0886

JSON object: View

Redhat Information

No data.

CWE

CWE-190

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-01-30T00:00:00", "descriptions": [{"lang": "en", "value": "Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-24T12:06:17", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"name": "FEDORA-2015-3032", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151786.html"}, {"name": "FEDORA-2015-3120", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151496.html"}, {"name": "JVN#77718330", "tags": ["third-party-advisory", "x_refsource_JVN"], "url": "http://jvn.jp/en/jp/JVN77718330/index.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mindrot.org/projects/jBCrypt/news/rel04.html"}, {"name": "FEDORA-2015-2994", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151797.html"}, {"name": "JVNDB-2015-000033", "tags": ["third-party-advisory", "x_refsource_JVNDB"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000033"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mindrot.org/show_bug.cgi?id=2097"}, {"name": "[cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-16990) Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd5c2256b8dc9935e4bb5e9be90adce58408054bb42523730a40c5548%40%3Ccommits.cassandra.apache.org%3E"}, {"name": "[cassandra-commits] 20210924 [jira] [Created] (CASSANDRA-16990) Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/re330cfe9e5d84e3f7da8ace23ec32f38cb3fbd328bf177badd7ad942%40%3Ccommits.cassandra.apache.org%3E"}, {"name": "[cassandra-commits] 20210924 [jira] [Commented] (CASSANDRA-16990) Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rbd23e3ac8113b4da0a025c0e45170b6ec317383a1cf06090c2c717aa%40%3Ccommits.cassandra.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2015-0886", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "FEDORA-2015-3032", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151786.html"}, {"name": "FEDORA-2015-3120", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151496.html"}, {"name": "JVN#77718330", "refsource": "JVN", "url": "http://jvn.jp/en/jp/JVN77718330/index.html"}, {"name": "http://www.mindrot.org/projects/jBCrypt/news/rel04.html", "refsource": "CONFIRM", "url": "http://www.mindrot.org/projects/jBCrypt/news/rel04.html"}, {"name": "FEDORA-2015-2994", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151797.html"}, {"name": "JVNDB-2015-000033", "refsource": "JVNDB", "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000033"}, {"name": "https://bugzilla.mindrot.org/show_bug.cgi?id=2097", "refsource": "CONFIRM", "url": "https://bugzilla.mindrot.org/show_bug.cgi?id=2097"}, {"name": "[cassandra-commits] 20210924 [jira] [Updated] (CASSANDRA-16990) Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd5c2256b8dc9935e4bb5e9be90adce58408054bb42523730a40c5548@%3Ccommits.cassandra.apache.org%3E"}, {"name": "[cassandra-commits] 20210924 [jira] [Created] (CASSANDRA-16990) Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re330cfe9e5d84e3f7da8ace23ec32f38cb3fbd328bf177badd7ad942@%3Ccommits.cassandra.apache.org%3E"}, {"name": "[cassandra-commits] 20210924 [jira] [Commented] (CASSANDRA-16990) Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbd23e3ac8113b4da0a025c0e45170b6ec317383a1cf06090c2c717aa@%3Ccommits.cassandra.apache.org%3E"}]}}}}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2015-0886", "datePublished": "2015-02-28T02:00:00", "dateReserved": "2015-01-08T00:00:00", "dateUpdated": "2021-09-24T12:06:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mindrot:jbcrypt:*:*:*:*:*:*:*:*", "matchCriteriaId": "61049707-EA5E-4193-B4A4-A60D81F69624", "versionEndExcluding": "0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*", "matchCriteriaId": "FF47C9F0-D8DA-4B55-89EB-9B2C9383ADB9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*", "matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*", "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent."}, {"lang": "es", "value": "Desbordamiento de enteros en el m\u00e9todo crypt_raw en la implementaci\u00f3n del estiramiento de claves en jBCrypt anterior a 0.4 facilita a atacantes remotos determinar valores en texto claro de hashes de contrase\u00f1as a trav\u00e9s de un ataque de fuerza bruta contra los hashes asociados con el exponente m\u00e1ximo."}], "id": "CVE-2015-0886", "lastModified": "2023-11-07T02:23:35.823", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-02-28T02:59:35.987", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory", "Vendor Advisory"], "url": "http://jvn.jp/en/jp/JVN77718330/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory", "VDB Entry", "Vendor Advisory"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000033"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151496.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151786.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151797.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.mindrot.org/projects/jBCrypt/news/rel04.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.mindrot.org/show_bug.cgi?id=2097"}, {"source": "vultures@jpcert.or.jp", "url": "https://lists.apache.org/thread.html/rbd23e3ac8113b4da0a025c0e45170b6ec317383a1cf06090c2c717aa%40%3Ccommits.cassandra.apache.org%3E"}, {"source": "vultures@jpcert.or.jp", "url": "https://lists.apache.org/thread.html/rd5c2256b8dc9935e4bb5e9be90adce58408054bb42523730a40c5548%40%3Ccommits.cassandra.apache.org%3E"}, {"source": "vultures@jpcert.or.jp", "url": "https://lists.apache.org/thread.html/re330cfe9e5d84e3f7da8ace23ec32f38cb3fbd328bf177badd7ad942%40%3Ccommits.cassandra.apache.org%3E"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}