CVE-2015-0886
Integer Overflow or Wraparound in JBCrypt
EPSS 2.5%
Description
Integer overflow in the crypt_raw method in the key-stretching implementation in JBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent.
How to fix CVE-2015-0886
To remediate CVE-2015-0886, upgrade the affected package to a fixed version below.
- Debian/libjbcrypt-java—upgrade to 0.4-1 or later
- Maven/org.mindrot:jbcrypt—upgrade to 0.4 or later
Is CVE-2015-0886 being exploited?
Low — EPSS is 2.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.4-1
- from 0, < 0.4