Critical severity9.8NVD Advisory· Published Apr 10, 2017· Updated May 13, 2026

CVE-2016-10321

Description

web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
web2pyPyPI	< 2.14.6	2.14.6

Patches

944d8bd8f3c5

Check if host is denied before verifying password

https://github.com/web2py/web2pyLeonel CâmaraMay 4, 2016via ghsa

commit

2 files changed · +9 −2

applications/admin/controllers/default.py+3 −0 modified

@@ -121,6 +121,9 @@ def index():
         send = URL('site')
     if session.authorized:
         redirect(send)
+    elif failed_login_count() >= allowed_number_of_attempts:
+        time.sleep(2 ** allowed_number_of_attempts)
+        raise HTTP(403)
     elif request.vars.password:
         if verify_password(request.vars.password[:1024]):
             session.authorized = True

applications/admin/models/access.py+6 −2 modified

@@ -104,13 +104,12 @@ def write_hosts_deny(denied_hosts):
     portalocker.unlock(f)
     f.close()
 
-
 def login_record(success=True):
     denied_hosts = read_hosts_deny()
     val = (0, 0)
     if success and request.client in denied_hosts:
         del denied_hosts[request.client]
-    elif not success and not request.is_local:
+    elif not success:
         val = denied_hosts.get(request.client, (0, 0))
         if time.time() - val[1] < expiration_failed_logins \
             and val[0] >= allowed_number_of_attempts:
@@ -121,6 +120,11 @@ def login_record(success=True):
     write_hosts_deny(denied_hosts)
     return val[0]
 
+def failed_login_count():
+    denied_hosts = read_hosts_deny()
+    val = denied_hosts.get(request.client, (0, 0))
+    return val[0]
+
 
 # ###########################################################
 # ## session expiration

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426nvdPatchThird Party AdvisoryWEB
github.com/advisories/GHSA-gv85-wgxc-vc56ghsaADVISORY
github.com/web2py/web2py/issues/1585nvdThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2016-10321ghsaADVISORY
usn.ubuntu.com/4030-1ghsaWEB
usn.ubuntu.com/4030-1/nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000