CVE-2021-33880

MEDIUM

websockets < 9.1 - Timing Attack via HTTP Basic Authentication

Title source: llm

Description

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2022.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 5.9

EPSS 0.0031

EPSS Percentile 54.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-203

Status published

Products (6)

oracle/communications_cloud_native_core_policy 1.14.0

oracle/communications_cloud_native_core_security_edge_protection_proxy 1.5.0

oracle/communications_cloud_native_core_service_communication_proxy 1.14.0

oracle/communications_cloud_native_core_unified_data_repository 1.14.0

pypi/websockets 0 - 9.1PyPI

websockets_project/websockets < 9.1

Published Jun 06, 2021

Tracked Since Feb 18, 2026