Observable Timing Discrepancy

CVE-2021-43298

High

9.8/10

Summary

The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver's response time until the unauthorized (401) response.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-208 - Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

Advisory Timeline

Published Jan 25, 2022

Observable Timing Discrepancy

CVE-2021-43298

Summary

CWE-208 - Observable Timing Discrepancy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS