Main Vulnerability Database SB2019062810

SB2019062810 - Security restrictions bypass in web2py

Published: June 28, 2019

Security Bulletin ID SB2019062810

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Security features bypass (CVE-ID: CVE-2016-10321)

The vulnerability allows a remote attacker to perform password brute-force attacks.

The vulnerability exist due to the software does not properly check if a host is denied before password verification. A remote non-authenticated attacker can perform a password brute-force attack on the targeted system.

Remediation

Install update from vendor's website.

References

https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426
https://github.com/web2py/web2py/issues/1585#issuecomment-284317919
https://usn.ubuntu.com/4030-1/