{"url":"http://public2.vulnerablecode.io/api/packages/174548?format=json","purl":"pkg:gem/bcrypt@3.1.12.rc1","type":"gem","namespace":"","name":"bcrypt","version":"3.1.12.rc1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.1.22","latest_non_vulnerable_version":"3.1.22","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51623?format=json","vulnerability_id":"VCID-jr8d-a6t4-93ej","summary":"bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby\n### Impact\n\nAn integer overflow in the Java BCrypt implementation for JRuby can\ncause zero iterations in the strengthening loop.  Impacted\napplications must be setting the cost to 31 to see this happen.\n\nThe JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes\nthe key-strengthening round count as a signed 32-bit integer.\nWhen `cost=31` (the maximum allowed by the gem), signed integer\noverflow causes the round count to become negative, and the\nstrengthening loop executes **zero iterations**. This collapses\nbcrypt from 2^31 rounds of exponential key-strengthening to\neffectively constant-time computation — only the initial\nEksBlowfish key setup and final 64x encryption phase remain.\n\nThe resulting hash looks valid (`$2a$31$...`) and verifies\ncorrectly via `checkpw`, making the weakness invisible to the\napplication. This issue is triggered only when cost=31 is\nused or when verifying a `$2a$31$` hash.\n\n### Patches\n\nThis problem has been fixed in version 3.1.22\n\n### Workarounds\n\nSet the cost to something less than 31.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33306.json","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33306.json"},{"reference_url":"https://github.com/advisories/GHSA-f27w-vcwj-c954","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f27w-vcwj-c954"},{"reference_url":"https://github.com/bcrypt-ruby/bcrypt-ruby","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcrypt-ruby/bcrypt-ruby"},{"reference_url":"https://github.com/bcrypt-ruby/bcrypt-ruby/commit/831ce64cb0a9502130fa93a28bfd9527a5fa45c4","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcrypt-ruby/bcrypt-ruby/commit/831ce64cb0a9502130fa93a28bfd9527a5fa45c4"},{"reference_url":"https://github.com/bcrypt-ruby/bcrypt-ruby/releases/tag/v3.1.22","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcrypt-ruby/bcrypt-ruby/releases/tag/v3.1.22"},{"reference_url":"https://github.com/bcrypt-ruby/bcrypt-ruby/security/advisories/GHSA-f27w-vcwj-c954","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcrypt-ruby/bcrypt-ruby/security/advisories/GHSA-f27w-vcwj-c954"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bcrypt/CVE-2026-33306.yml","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bcrypt/CVE-2026-33306.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33306","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33306"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450565","reference_id":"2450565","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450565"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113428?format=json","purl":"pkg:gem/bcrypt@3.1.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/bcrypt@3.1.22"}],"aliases":["CVE-2026-33306","GHSA-f27w-vcwj-c954"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jr8d-a6t4-93ej"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/bcrypt@3.1.12.rc1"}