{"api_version":"1","generated_at":"2026-05-02T11:08:38+00:00","cve":"CVE-2013-1895","urls":{"html":"https://cve.report/CVE-2013-1895","api":"https://cve.report/api/cve/CVE-2013-1895.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2013-1895","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2013-1895"},"summary":{"title":"CVE-2013-1895","description":"The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2020-01-28 15:15:00","updated_at":"2020-02-04 16:49:00"},"problem_types":["CWE-307"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2013/03/26/2","name":"http://www.openwall.com/lists/oss-security/2013/03/26/2","refsource":"MISC","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - CVE-2013-1895 py-bcrypt 0.2 concurrency vulnerability (auth bypass)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html","name":"http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html","refsource":"MISC","tags":["Third Party Advisory","Tool Signature"],"title":"[SECURITY] Fedora 18 Update: py-bcrypt-0.3-1.fc18","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/58702","name":"http://www.securityfocus.com/bid/58702","refsource":"MISC","tags":["Third Party Advisory","VDB Entry"],"title":"Python 'py-bcrypt' Module CVE-2013-1895 Authentication Bypass Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html","name":"http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html","refsource":"MISC","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 17 Update: py-bcrypt-0.3-1.fc17","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/83039","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/83039","refsource":"MISC","tags":["Third Party Advisory","VDB Entry"],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2013-1895","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-1895","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2013","cve_id":"1895","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"17","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1895","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"18","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1895","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"17","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1895","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"18","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1895","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"py-bcrypt","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1895","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"py-bcrypt","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2013-1895","qid":"980442","title":"Python (pip) Security Update for py-bcrypt (GHSA-r838-q6jp-58xx)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2013-1895","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Other"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"py-bcrypt","product":{"product_data":[{"product_name":"py-bcrypt","version":{"version_data":[{"version_affected":"=","version_value":"before 0.3"}]}}]}}]}},"references":{"reference_data":[{"url":"http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html","refsource":"MISC","name":"http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101382.html"},{"url":"http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html","refsource":"MISC","name":"http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101387.html"},{"url":"http://www.openwall.com/lists/oss-security/2013/03/26/2","refsource":"MISC","name":"http://www.openwall.com/lists/oss-security/2013/03/26/2"},{"url":"http://www.securityfocus.com/bid/58702","refsource":"MISC","name":"http://www.securityfocus.com/bid/58702"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/83039","refsource":"MISC","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/83039"}]}},"nvd":{"publishedDate":"2020-01-28 15:15:00","lastModifiedDate":"2020-02-04 16:49:00","problem_types":["CWE-307"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:py-bcrypt:*:*:*:*:*:*:*:*","versionEndExcluding":"0.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2013","CveId":"1895","Ordinal":"61522","Title":"CVE-2013-1895","CVE":"CVE-2013-1895","Year":"2013"},"notes":[{"CveYear":"2013","CveId":"1895","Ordinal":"1","NoteData":"The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.","Type":"Description","Title":null},{"CveYear":"2013","CveId":"1895","Ordinal":"2","NoteData":"2020-01-28","Type":"Other","Title":"Published"},{"CveYear":"2013","CveId":"1895","Ordinal":"3","NoteData":"2020-01-28","Type":"Other","Title":"Modified"}]}}}