CVE-2021-43298
N/A
N/A
Summary
The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver's response time until the unauthorized (401) response.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| embedthis | goahead | unspecified < 5.1.4 | affected |
Weaknesses
- CWE-208: CWE-208
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.