CVE-2016-10321

Published: 10 April 2017

web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
web2py
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.12.3-1ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426