CVE-2021-33880

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.

La biblioteca aaugustin websockets versiones anteriores a 9.1, para Python presenta una Discrepancia de Sincronización Observable en servidores cuando la Autenticación Básica HTTP está habilitada con basic_auth_protocol_factory(credentials=...). Un atacante puede ser capaz de adivinar una contraseña por medio de un ataque de sincronización

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-06-06 CVE Reserved
2021-06-06 CVE Published
2024-02-20 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-203: Observable Discrepancy

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0	2022-05-12
https://www.oracle.com/security-alerts/cpuapr2022.html	2022-05-12
https://www.oracle.com/security-alerts/cpujan2022.html	2022-05-12

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Websockets Project Search vendor "Websockets Project"		Websockets Search vendor "Websockets Project" for product "Websockets"				< 9.1 Search vendor "Websockets Project" for product "Websockets" and version " < 9.1"		python		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy"				1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.14.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Security Edge Protection Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy"				1.5.0 Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "1.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Service Communication Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy"				1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy" and version "1.14.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository"				1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.14.0"		-		Affected