CVE-2021-33880: Observable Timing Discrepancy in aaugustin websockets library
(updated )
The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=…). An attacker may be able to guess a password via a timing attack.
References
- github.com/aaugustin/websockets
- github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0
- github.com/advisories/GHSA-8ch4-58qp-g3mp
- github.com/pypa/advisory-database/tree/main/vulns/websockets/PYSEC-2021-95.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-33880
- www.oracle.com/security-alerts/cpuapr2022.html
- www.oracle.com/security-alerts/cpujan2022.html
Code Behaviors & Features
Detect and mitigate CVE-2021-33880 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →