[bawolff]

> I smell an underlying sentiment of "if the attacker has access to the DB, then it is broken anyways"

To be more clear, my position is - if the service allows you to set the password for an arbitrary user, then it is broken anyways.

[madsbuch]

Again, not necessarily. This depends on the hashing scheme you use. Eg. if setting a correct password hash relies on you having access to private keys.

[bawolff]

No it does not.

Either you allow bcrypt hashes, or this bug is inapplicable. If you are encrypting your hashes or something, then this bug cannot be leveraged.

[madsbuch]

Yes, for this very specific bug. This thread taked about having access to the database as a general attack vector.