Observable Timing Discrepancy in aaugustin Websockets Library for Python
CVE-2021-33880

5.9MEDIUM

Key Information:

Vendor

Websockets Project

Status
Websockets
Vendor
CVE Published:
6 June 2021

What is CVE-2021-33880?

The aaugustin websockets library for Python, specifically versions prior to 9.1, contains an observable timing discrepancy when HTTP Basic Authentication is active. This vulnerability can allow an attacker to exploit the timing differences in authentication requests, potentially leading to successful password guessing through a timing attack. Developers using this library should update to the latest version to mitigate the risks associated with this vulnerability.

References

https://github.com/aaugustin/websockets/commit/547a26b685...
x_refsource_MISC
https://www.oracle.com/security-alerts/cpujan2022.html
x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.