Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThjaDQtNThxcC1nM21w
Observable Timing Discrepancy in aaugustin websockets library
The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.
Permalink: https://github.com/advisories/GHSA-8ch4-58qp-g3mpJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThjaDQtNThxcC1nM21w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-8ch4-58qp-g3mp, CVE-2021-33880
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-33880
- https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/advisories/GHSA-8ch4-58qp-g3mp
Blast Radius: 26.4
Affected Packages
pypi:websockets
Dependent packages: 878Dependent repositories: 29,748
Downloads: 26,619,008 last month
Affected Version Ranges: < 9.1
Fixed in: 9.1
All affected versions: 4.0.1, 5.0.1, 8.0.1, 8.0.2, 9.0.1, 9.0.2
All unaffected versions: 11.0.1, 11.0.2, 11.0.3