CVE-2011-2483MEDIUM
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.
References
http://freshmeat.net/projects/crypt_blowfish
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00015.html
http://php.net/security/crypt_blowfish
http://support.apple.com/kb/HT5130
http://www.debian.org/security/2011/dsa-2340
http://www.debian.org/security/2012/dsa-2399
http://www.mandriva.com/security/advisories?name=MDVSA-2011:165
http://www.mandriva.com/security/advisories?name=MDVSA-2011:178
http://www.mandriva.com/security/advisories?name=MDVSA-2011:179
http://www.mandriva.com/security/advisories?name=MDVSA-2011:180
http://www.openwall.com/crypt/
http://www.php.net/archive/2011.php#id2011-08-18-1
http://www.php.net/ChangeLog-5.php#5.3.7
http://www.postgresql.org/docs/8.4/static/release-8-4-9.html
http://www.redhat.com/support/errata/RHSA-2011-1377.html
http://www.redhat.com/support/errata/RHSA-2011-1378.html
http://www.redhat.com/support/errata/RHSA-2011-1423.html
http://www.securityfocus.com/bid/49241
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:php:php:1.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:2.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:2.0b10:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.4:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.6:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.7:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.8:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.9:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.10:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.11:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.12:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.13:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.14:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.15:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.16:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.17:*:*:*:*:*:*:*
cpe:2.3:a:php:php:3.0.18:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0:beta1:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0:beta2:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0:beta3:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0:beta4:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0:beta_4_patch1:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0.2:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.0.7:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.1.2:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.2.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.2.1:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.2.2:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.2.3:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.1:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.2:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.3:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.4:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.5:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.6:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.7:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.8:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.9:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.10:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.3.11:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.4.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.4.2:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.4.3:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.4.4:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.4.5:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.4.6:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.4.8:*:*:*:*:*:*:*
cpe:2.3:a:php:php:4.4.9:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.1.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.1.1:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.1.2:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.1.3:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.1.4:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.1.5:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.1.6:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.8:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.9:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.10:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.11:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.12:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.13:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.2.14:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.3.1:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.3.2:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.3.3:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.3.4:*:*:*:*:*:*:*
cpe:2.3:a:php:php:5.3.5:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* versions up to 5.3.6 (inclusive)
cpe:2.3:a:solar_designer:crypt_blowfish:0.2:*:*:*:*:*:*:*
cpe:2.3:a:solar_designer:crypt_blowfish:0.3:*:*:*:*:*:*:*
cpe:2.3:a:solar_designer:crypt_blowfish:0.4:*:*:*:*:*:*:*
cpe:2.3:a:solar_designer:crypt_blowfish:0.4.1:*:*:*:*:*:*:*
cpe:2.3:a:solar_designer:crypt_blowfish:0.4.2:*:*:*:*:*:*:*
cpe:2.3:a:solar_designer:crypt_blowfish:0.4.3:*:*:*:*:*:*:*
cpe:2.3:a:solar_designer:crypt_blowfish:0.4.4:*:*:*:*:*:*:*
cpe:2.3:a:solar_designer:crypt_blowfish:0.4.5:*:*:*:*:*:*:*
cpe:2.3:a:solar_designer:crypt_blowfish:0.4.6:*:*:*:*:*:*:*
cpe:2.3:a:solar_designer:crypt_blowfish:*:*:*:*:*:*:*:* versions up to 0.4.7 (inclusive)
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 122590 | PHP 5.4.x < 5.4.0 Multiple Vulnerabilities | Nessus | CGI abuses | high |
| 83561 | SUSE SLED10 / SLES10 Security Update : PostgreSQL (SUSE-SU-2012:1336-1) | Nessus | SuSE Local Security Checks | medium |
| 78268 | Amazon Linux AMI : php (ALAS-2011-7) | Nessus | Amazon Linux Local Security Checks | high |
| 78134 | F5 Networks BIG-IP : Multiple PHP vulnerabilities (K13519) | Nessus | F5 Networks Local Security Checks | critical |
| 76052 | openSUSE Security Update : yast2-core (openSUSE-SU-2011:0921-2) | Nessus | SuSE Local Security Checks | medium |
| 75943 | openSUSE Security Update : man-pages (openSUSE-SU-2011:0970-1) | Nessus | SuSE Local Security Checks | medium |
| 75934 | openSUSE Security Update : libxcrypt (openSUSE-SU-2011:0972-1) | Nessus | SuSE Local Security Checks | medium |
| 75852 | openSUSE Security Update : glibc (openSUSE-SU-2011:0921-1) | Nessus | SuSE Local Security Checks | medium |
| 75791 | openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2011:1138-1) | Nessus | SuSE Local Security Checks | critical |
| 75781 | openSUSE Security Update : yast2-core (openSUSE-SU-2011:0921-2) | Nessus | SuSE Local Security Checks | medium |
| 75642 | openSUSE Security Update : man-pages (openSUSE-SU-2011:0970-1) | Nessus | SuSE Local Security Checks | medium |
| 75631 | openSUSE Security Update : libxcrypt (openSUSE-SU-2011:0972-1) | Nessus | SuSE Local Security Checks | medium |
| 75519 | openSUSE Security Update : glibc (openSUSE-SU-2011:0921-1) | Nessus | SuSE Local Security Checks | medium |
| 75433 | openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2011:1137-1) | Nessus | SuSE Local Security Checks | critical |
| 75198 | openSUSE Security Update : whois (openSUSE-SU-2013:1670-1) | Nessus | SuSE Local Security Checks | medium |
| 74591 | openSUSE Security Update : postgresql (openSUSE-SU-2012:0480-1) | Nessus | SuSE Local Security Checks | medium |
| 69571 | Amazon Linux AMI : postgresql (ALAS-2011-12) | Nessus | Amazon Linux Local Security Checks | medium |
| 69566 | Amazon Linux AMI : php (ALAS-2011-07) | Nessus | Amazon Linux Local Security Checks | high |
| 68382 | Oracle Linux 5 / 6 : php / php53 (ELSA-2011-1423) | Nessus | Oracle Linux Local Security Checks | high |
| 68371 | Oracle Linux 5 : postgresql84 (ELSA-2011-1378) | Nessus | Oracle Linux Local Security Checks | medium |
| 68370 | Oracle Linux 4 / 5 / 6 : postgresql (ELSA-2011-1377) | Nessus | Oracle Linux Local Security Checks | medium |
| 62545 | SuSE 10 Security Update : PostgreSQL (ZYPP Patch Number 8311) | Nessus | SuSE Local Security Checks | medium |
| 61938 | Mandriva Linux Security Advisory : glibc (MDVSA-2011:179) | Nessus | Mandriva Local Security Checks | medium |
| 61168 | Scientific Linux Security Update : php53 and php on SL5.x, SL6.x i386/x86_64 | Nessus | Scientific Linux Local Security Checks | high |
| 61155 | Scientific Linux Security Update : postgresql on SL4.x, SL5.x, SL6.x i386/x86_64 | Nessus | Scientific Linux Local Security Checks | medium |
| 61154 | Scientific Linux Security Update : postgresql84 on SL5.x i386/x86_64 | Nessus | Scientific Linux Local Security Checks | medium |
| 58811 | HP System Management Homepage < 7.0 Multiple Vulnerabilities | Nessus | Web Servers | critical |
| 58576 | SuSE 10 Security Update : glibc (ZYPP Patch Number 7663) | Nessus | SuSE Local Security Checks | medium |
| 6303 | Mac OS X 10.7 < 10.7.3 Multiple Vulnerabilities | Nessus Network Monitor | Generic | critical |
| 57839 | SuSE 11.1 Security Update : glibc (SAT Patch Number 4944) | Nessus | SuSE Local Security Checks | medium |
| 55919 | SuSE 11.1 Security Update : glibc (SAT Patch Number 4944) (deprecated) | Nessus | SuSE Local Security Checks | medium |
| 57798 | Mac OS X Multiple Vulnerabilities (Security Update 2012-001) (BEAST) | Nessus | MacOS X Local Security Checks | critical |
| 57797 | Mac OS X 10.7.x < 10.7.3 Multiple Vulnerabilities (BEAST) | Nessus | MacOS X Local Security Checks | critical |
| 57753 | Debian DSA-2399-2 : php5 - several vulnerabilities | Nessus | Debian Local Security Checks | high |
| 57270 | SuSE 10 Security Update : yast2-core (ZYPP Patch Number 7726) | Nessus | SuSE Local Security Checks | medium |
| 57202 | SuSE 10 Security Update : glibc (ZYPP Patch Number 7663) (deprecated) | Nessus | SuSE Local Security Checks | medium |
| 56968 | Mandriva Linux Security Advisory : php-suhosin (MDVSA-2011:180) | Nessus | Mandriva Local Security Checks | medium |
| 56953 | Mandriva Linux Security Advisory : glibc (MDVSA-2011:178) | Nessus | Mandriva Local Security Checks | medium |
| 56730 | Debian DSA-2340-1 : postgresql-8.3, postgresql-8.4, postgresql-9.0 - weak password hashing | Nessus | Debian Local Security Checks | medium |
| 56707 | Mandriva Linux Security Advisory : php (MDVSA-2011:165) | Nessus | Mandriva Local Security Checks | critical |
| 56699 | RHEL 5 / 6 : php53 and php (RHSA-2011:1423) | Nessus | Red Hat Local Security Checks | high |
| 56695 | CentOS 5 : php53 (CESA-2011:1423) | Nessus | CentOS Local Security Checks | high |
| 56627 | Mandriva Linux Security Advisory : postgresql (MDVSA-2011:161) | Nessus | Mandriva Local Security Checks | medium |
| 56626 | GLSA-201110-22 : PostgreSQL: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | high |
| 56619 | SuSE 10 Security Update : yast2-core (ZYPP Patch Number 7725) | Nessus | SuSE Local Security Checks | medium |
| 56554 | Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : php5 vulnerabilities (USN-1231-1) | Nessus | Ubuntu Local Security Checks | high |
| 56536 | CentOS 5 : postgresql84 (CESA-2011:1378) | Nessus | CentOS Local Security Checks | medium |
| 56535 | CentOS 4 / 5 : postgresql (CESA-2011:1377) | Nessus | CentOS Local Security Checks | medium |
| 56534 | RHEL 5 : postgresql84 (RHSA-2011:1378) | Nessus | Red Hat Local Security Checks | medium |
| 56533 | RHEL 4 / 5 / 6 : postgresql (RHSA-2011:1377) | Nessus | Red Hat Local Security Checks | medium |
| 56506 | Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 : postgresql-8.3, postgresql-8.4 vulnerability (USN-1229-1) | Nessus | Ubuntu Local Security Checks | medium |
| 56459 | GLSA-201110-06 : PHP: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | critical |
| 56219 | Fedora 14 : maniadrive-1.2-32.fc14 / php-5.3.8-1.fc14 / php-eaccelerator-0.9.6.1-9.fc14 (2011-11537) | Nessus | Fedora Local Security Checks | high |
| 56218 | Fedora 15 : maniadrive-1.2-32.fc15 / php-5.3.8-1.fc15 / php-eaccelerator-0.9.6.1-9.fc15 (2011-11528) | Nessus | Fedora Local Security Checks | high |
| 56150 | Fedora 16 : maniadrive-1.2-32.fc16 / php-5.3.8-1.fc16 / php-eaccelerator-0.9.6.1-9.fc16 (2011-11464) | Nessus | Fedora Local Security Checks | high |
| 56034 | SuSE 11.1 Security Update : yast2-core (SAT Patch Number 5078) | Nessus | SuSE Local Security Checks | medium |
| 56019 | SuSE 11.1 Security Update : man-pages (SAT Patch Number 5064) | Nessus | SuSE Local Security Checks | medium |
| 56018 | SuSE 11.1 Security Update : libxcrypt (SAT Patch Number 5041) | Nessus | SuSE Local Security Checks | medium |
| 55980 | Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / current : php (SSA:2011-237-01) | Nessus | Slackware Local Security Checks | high |
| 801087 | PHP 5.3 < 5.3.7 Multiple Vulnerabilities | Log Correlation Engine | Web Servers | high |
| 6015 | PHP 5.3.x < 5.3.7 Multiple Vulnerabilities | Nessus Network Monitor | Web Servers | high |
| 55925 | PHP 5.3 < 5.3.7 Multiple Vulnerabilities | Nessus | CGI abuses | critical |
| 55920 | SuSE 10 Security Update : glibc (ZYPP Patch Number 7659) | Nessus | SuSE Local Security Checks | medium |
| 55918 | SuSE9 Security Update : glibc suite (YOU Patch Number 12813) | Nessus | SuSE Local Security Checks | medium |
| 55912 | FreeBSD : php -- multiple vulnerabilities (057bf770-cac4-11e0-aea3-00215c6a37bb) | Nessus | FreeBSD Local Security Checks | high |