High severity8.1NVD Advisory· Published Apr 30, 2017· Updated May 13, 2026

CVE-2017-8342

Description

Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing oracles and simple brute-force attacks when using the htpasswd authentication method.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
RadicalePyPI	< 1.1.2	1.1.2
RadicalePyPI	>= 2.0.0rc1, < 2.0.0rc2	2.0.0rc2

Affected products

Radicale/Radicale2 versions
cpe:2.3:a:radicale:radicale:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:radicale:radicale:*:*:*:*:*:*:*:*range: <=1.1.1
- cpe:2.3:a:radicale:radicale:2.0.0:rc1:*:*:*:*:*:*

Patches

190b1dd795f0

Random timer to avoid timing oracles and simple bruteforce attacks

https://github.com/Kozea/RadicaleGuillaume AyoubApr 19, 2017via ghsa

commit

1 file changed · +7 −3

radicale/auth/htpasswd.py+7 −3 modified

@@ -56,7 +56,8 @@
 import base64
 import hashlib
 import os
-
+import random
+import time
 
 from .. import config
 
@@ -161,7 +162,10 @@ def is_authenticated(user, password):
             if strippedline:
                 login, hash_value = strippedline.split(":")
                 if login == user:
-                    # Allow encryption method to be overridden at runtime.
-                    return _verifuncs[ENCRYPTION](hash_value, password)
+                    if _verifuncs[ENCRYPTION](hash_value, password):
+                        # Allow encryption method to be overridden at runtime.
+                        return True
+    # Random timer to avoid timing oracles and simple bruteforce attacks
+    time.sleep(1 + random.random())
     return False

059ba8dec1f2

Random timer to avoid timing oracles and simple bruteforce attacks

https://github.com/Kozea/RadicaleGuillaume AyoubApr 19, 2017via ghsa

commit

1 file changed · +6 −2

radicale/auth.py+6 −2 modified

@@ -57,6 +57,8 @@
 import functools
 import hashlib
 import os
+import random
+import time
 from importlib import import_module
 
 
@@ -192,6 +194,8 @@ def is_authenticated(self, user, password):
                 line = line.strip()
                 if line:
                     login, hash_value = line.split(":")
-                    if login == user:
-                        return self.verify(hash_value, password)
+                    if login == user and self.verify(hash_value, password):
+                        return True
+        # Random timer to avoid timing oracles and simple bruteforce attacks
+        time.sleep(1 + random.random())
         return False

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/Kozea/Radicale/commit/059ba8dec1f22ccbeab837e288b3833a099cee2dnvdPatchThird Party AdvisoryWEB
github.com/Kozea/Radicale/commit/190b1dd795f0c552a4992445a231da760211183bnvdPatchThird Party AdvisoryWEB
bugs.debian.org/861514nvdExploitIssue TrackingPatchVDB EntryWEB
github.com/Kozea/Radicale/blob/1.1.2/NEWS.rstnvdRelease NotesThird Party AdvisoryWEB
github.com/advisories/GHSA-rpv4-63g3-9x23ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-8342ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/radicale/PYSEC-2017-102.yamlghsaWEB
lists.debian.org/debian-lts-announce/2020/04/msg00019.htmlnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000