CVE-2021-33880 – websockets

Package

Manager: pip
Name: websockets
Vulnerable Version: >=0 <9.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00192 pctl0.41328

Details

Observable Timing Discrepancy in aaugustin websockets library The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.

Metadata

Created: 2021-06-11T17:43:14Z
Modified: 2024-11-19T18:19:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-8ch4-58qp-g3mp/GHSA-8ch4-58qp-g3mp.json
CWE IDs: ["CWE-203", "CWE-208"]
Alternative ID: GHSA-8ch4-58qp-g3mp
Finding: F026
Auto approve: 1