CVE-2021-21335
MEDIUMspnego_http_authentication_module < 1.1.1 - Authentication Bypass via Malformed Username
Title source: llmDescription
In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. This affects users of spnego-http-auth-nginx-module that have enabled basic authentication. This is fixed in version 1.1.1 of spnego-http-auth-nginx-module. As a workaround, one may disable basic authentication.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/stnoonan/spnego-http-auth-nginx-module/security/advisories/GHSA-ww8q-72rx-hc54
Patch, Third Party Advisory x_refsource_misc
https://github.com/stnoonan/spnego-http-auth-nginx-module/commit/a06f9efca373e25328b1c53639a48decd0854570
Third Party Advisory x_refsource_misc
https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.1
Scores
CVSS v3
5.3
EPSS
0.0166
EPSS Percentile
73.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-287
Status
published
Products (1)
spnego_http_authentication_module_project/spnego_http_authentication_module
< 1.1.1
Published
Mar 08, 2021
Tracked Since
Feb 18, 2026