oss-sec mailing list archives

web2py: CVE-2016-10321: does not check if a host is denied before verifying passwords

From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 10 Apr 2017 17:08:12 +0200

Hi

CVE-2016-10321 was assigned (via cveform.mitre.org) to the following
issue in web2py:

web2py before 2.14.6 does not properly check if a host is denied
before verifying passwords, allowing a remote attacker to perform
brute-force attacks.

Fixing commit:
https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426

Regards,
Salvatore

Current thread:

web2py: CVE-2016-10321: does not check if a host is denied before verifying passwords Salvatore Bonaccorso (Apr 10)