The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver's response time until the unauthorized (401) response.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: JFROG

Published: 2022-01-25T19:11:17

Updated: 2024-08-04T03:55:28.938Z

Reserved: 2021-11-03T00:00:00

Link: CVE-2021-43298

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-01-25T20:15:08.510

Modified: 2024-11-21T06:29:01.873

Link: CVE-2021-43298

cve-icon Redhat

No data.