CVE-2021-43298 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-43298 PUBLISHED CVSS 9.800000190734863 CRITICAL

The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver's response time until the unauthorized (401) response.

EPSS 0.38% · 59.1th percentile

Risk Scores

CVSS v3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.38%

59.1th percentile

Affected Products

Vendor	Product	Versions
embedthis	goahead	unspecified, 0

Timeline

Jan 25, 2022 CVE Published
Jan 26, 2022 EPSS Score
Feb 2, 2022 CVE Updated
Mar 19, 2022 EPSS Score
May 11, 2022 EPSS Score
Jul 2, 2022 EPSS Score
Aug 24, 2022 EPSS Score
Oct 16, 2022 EPSS Score
Dec 7, 2022 EPSS Score
Jan 28, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 21, 2023 EPSS Score

References

Open in Interactive Console →