The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | php | 2012-07-05 16:09 | ALAS-2012-95 |
Amazon Linux 1 | postgresql8 | 2012-07-05 16:08 | ALAS-2012-94 |
Amazon Linux 1 | postgresql9 | 2012-06-19 16:02 | ALAS-2012-91 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 4.0 | AV:N/AC:H/Au:N/C:P/I:P/A:N |
NVD | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |