Vulnerability Details CVE-2021-33880
The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 36.4%
CVSS Severity
CVSS v3 Score 5.9
CVSS v2 Score 2.6
References
- https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
Products affected by CVE-2021-33880
-
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0
-
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.5.0
-
cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0
-
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0
-
cpe:2.3:a:websockets_project:websockets:-
-
cpe:2.3:a:websockets_project:websockets:1.0
-
cpe:2.3:a:websockets_project:websockets:2.0
-
cpe:2.3:a:websockets_project:websockets:2.1
-
cpe:2.3:a:websockets_project:websockets:2.2
-
cpe:2.3:a:websockets_project:websockets:2.3
-
cpe:2.3:a:websockets_project:websockets:2.4
-
cpe:2.3:a:websockets_project:websockets:2.5
-
cpe:2.3:a:websockets_project:websockets:2.6
-
cpe:2.3:a:websockets_project:websockets:2.7
-
cpe:2.3:a:websockets_project:websockets:3.0
-
cpe:2.3:a:websockets_project:websockets:3.1
-
cpe:2.3:a:websockets_project:websockets:3.2
-
cpe:2.3:a:websockets_project:websockets:3.3
-
cpe:2.3:a:websockets_project:websockets:3.4
-
cpe:2.3:a:websockets_project:websockets:4.0
-
cpe:2.3:a:websockets_project:websockets:4.0.1
-
cpe:2.3:a:websockets_project:websockets:5.0
-
cpe:2.3:a:websockets_project:websockets:5.0.1
-
cpe:2.3:a:websockets_project:websockets:6.0
-
cpe:2.3:a:websockets_project:websockets:7.0
-
cpe:2.3:a:websockets_project:websockets:8.0
-
cpe:2.3:a:websockets_project:websockets:8.0.1
-
cpe:2.3:a:websockets_project:websockets:8.0.2
-
cpe:2.3:a:websockets_project:websockets:8.1
-
cpe:2.3:a:websockets_project:websockets:9.0
-
cpe:2.3:a:websockets_project:websockets:9.0.1
-
cpe:2.3:a:websockets_project:websockets:9.0.2