Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/bcrypt@3.1.12.rc1
Typegem
Namespace
Namebcrypt
Version3.1.12.rc1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.1.22
Latest_non_vulnerable_version3.1.22
Affected_by_vulnerabilities
0
url VCID-jr8d-a6t4-93ej
vulnerability_id VCID-jr8d-a6t4-93ej
summary 
bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby
### Impact

An integer overflow in the Java BCrypt implementation for JRuby can
cause zero iterations in the strengthening loop.  Impacted
applications must be setting the cost to 31 to see this happen.

The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes
the key-strengthening round count as a signed 32-bit integer.
When `cost=31` (the maximum allowed by the gem), signed integer
overflow causes the round count to become negative, and the
strengthening loop executes **zero iterations**. This collapses
bcrypt from 2^31 rounds of exponential key-strengthening to
effectively constant-time computation — only the initial
EksBlowfish key setup and final 64x encryption phase remain.

The resulting hash looks valid (`$2a$31$...`) and verifies
correctly via `checkpw`, making the weakness invisible to the
application. This issue is triggered only when cost=31 is
used or when verifying a `$2a$31$` hash.

### Patches

This problem has been fixed in version 3.1.22

### Workarounds

Set the cost to something less than 31.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33306.json
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33306.json
1
reference_url https://github.com/advisories/GHSA-f27w-vcwj-c954
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-f27w-vcwj-c954
2
reference_url https://github.com/bcrypt-ruby/bcrypt-ruby
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/bcrypt-ruby/bcrypt-ruby
3
reference_url https://github.com/bcrypt-ruby/bcrypt-ruby/commit/831ce64cb0a9502130fa93a28bfd9527a5fa45c4
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/bcrypt-ruby/bcrypt-ruby/commit/831ce64cb0a9502130fa93a28bfd9527a5fa45c4
4
reference_url https://github.com/bcrypt-ruby/bcrypt-ruby/releases/tag/v3.1.22
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/bcrypt-ruby/bcrypt-ruby/releases/tag/v3.1.22
5
reference_url https://github.com/bcrypt-ruby/bcrypt-ruby/security/advisories/GHSA-f27w-vcwj-c954
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/bcrypt-ruby/bcrypt-ruby/security/advisories/GHSA-f27w-vcwj-c954
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bcrypt/CVE-2026-33306.yml
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bcrypt/CVE-2026-33306.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33306
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33306
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450565
reference_id 2450565
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450565
fixed_packages
0
url pkg:gem/bcrypt@3.1.22
purl pkg:gem/bcrypt@3.1.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/bcrypt@3.1.22
aliases CVE-2026-33306, GHSA-f27w-vcwj-c954
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jr8d-a6t4-93ej
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/bcrypt@3.1.12.rc1