CVE-2021-33880 — MEDIUM (5.9)

Q: How severe is CVE-2021-33880?

CVE-2021-33880 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-33880?

Check the references section above for vendor advisories and patch information. Affected products include: Websockets Project Websockets, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Cloud Native Core Service Communication Proxy, Oracle Communications Cloud Native Core Unified Data Repository.

Vulnerability Description

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Websockets Project	Websockets	< 9.1
Oracle	Communications Cloud Native Core Policy	1.14.0
Oracle	Communications Cloud Native Core Security Edge Protection Proxy	1.5.0
Oracle	Communications Cloud Native Core Service Communication Proxy	1.14.0
Oracle	Communications Cloud Native Core Unified Data Repository	1.14.0

Related Weaknesses (CWE)

CWE-203

References

https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867acPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867acPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2021-33880?

CVE-2021-33880 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An a...

How severe is CVE-2021-33880?

CVE-2021-33880 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-33880?

Check the references section above for vendor advisories and patch information. Affected products include: Websockets Project Websockets, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy, Oracle Communications Cloud Native Core Service Communication Proxy, Oracle Communications Cloud Native Core Unified Data Repository.