CVE-2013-4165 - Vulnerability Details - OpenCVE

The HTTPAuthorized function in bitcoinrpc.cpp in bitcoind 0.8.1 provides information about authentication failure upon detecting the first incorrect byte of a password, which makes it easier for remote attackers to determine passwords via a timing side-channel attack.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bitcoin	Bitcoin Core

Configuration 1 [-]

cpe:2.3:a:bitcoin:bitcoin_core:0.8.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://openwall.com/lists/oss-security/2013/07/25/5
https://github.com/bitcoin/bitcoin/issues/2838
https://github.com/bitcoin/bitcoin/pull/2845

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-08-01T16:00:00Z

Updated: 2024-09-16T20:12:33.468Z

Reserved: 2013-06-12T00:00:00Z

Link: CVE-2013-4165

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2013-08-02T12:10:40.487

Modified: 2025-04-11T00:51:21.963

Link: CVE-2013-4165

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The HTTPAuthorized function in bitcoinrpc.cpp in bitcoind 0.8.1 provides information about authentication failure upon detecting the first incorrect byte of a password, which makes it easier for remote attackers to determine passwords via a timing side-channel attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-08-01T16:00:00Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/bitcoin/bitcoin/issues/2838"}, {"name": "[oss-security] 20130725 Re: CVE request: timing leak in bitcoind", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2013/07/25/5"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/bitcoin/bitcoin/pull/2845"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-4165", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The HTTPAuthorized function in bitcoinrpc.cpp in bitcoind 0.8.1 provides information about authentication failure upon detecting the first incorrect byte of a password, which makes it easier for remote attackers to determine passwords via a timing side-channel attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/bitcoin/bitcoin/issues/2838", "refsource": "MISC", "url": "https://github.com/bitcoin/bitcoin/issues/2838"}, {"name": "[oss-security] 20130725 Re: CVE request: timing leak in bitcoind", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2013/07/25/5"}, {"name": "https://github.com/bitcoin/bitcoin/pull/2845", "refsource": "MISC", "url": "https://github.com/bitcoin/bitcoin/pull/2845"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:38:01.572Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bitcoin/bitcoin/issues/2838"}, {"name": "[oss-security] 20130725 Re: CVE request: timing leak in bitcoind", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2013/07/25/5"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bitcoin/bitcoin/pull/2845"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-4165", "datePublished": "2013-08-01T16:00:00Z", "dateReserved": "2013-06-12T00:00:00Z", "dateUpdated": "2024-09-16T20:12:33.468Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bitcoin:bitcoin_core:0.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "53B8A243-3A29-4E36-9974-6C19D944E9ED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The HTTPAuthorized function in bitcoinrpc.cpp in bitcoind 0.8.1 provides information about authentication failure upon detecting the first incorrect byte of a password, which makes it easier for remote attackers to determine passwords via a timing side-channel attack."}, {"lang": "es", "value": "La funci\u00f3n HTTPAuthorized en bitcoinrpc.cpp en bitcoind 0.8.1, ofrece informaci\u00f3n acerca del fallo de autenticaci\u00f3n incluso detectando el primer byte incorrecto de la contrase\u00f1a, lo que facilita a atacantes remotos el determinar las contrase\u00f1as mediante un ataque del tipo \"timing side-channel\"."}], "id": "CVE-2013-4165", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-08-02T12:10:40.487", "references": [{"source": "secalert@redhat.com", "url": "http://openwall.com/lists/oss-security/2013/07/25/5"}, {"source": "secalert@redhat.com", "url": "https://github.com/bitcoin/bitcoin/issues/2838"}, {"source": "secalert@redhat.com", "url": "https://github.com/bitcoin/bitcoin/pull/2845"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2013/07/25/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/bitcoin/bitcoin/issues/2838"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/bitcoin/bitcoin/pull/2845"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}